b'   2009 FISMA Executive Summary\n   Report\n\n\n\n\n                            REDACTED PUBLIC VERSION\n                                                      March 26, 2010\n                                                      Report No. 472\nPrepared by C5i Federal, Inc.\n\x0c                                                 UNITED STATES\n                                SECURITIES AND EXCHANGE COMMISSION\n                                           WASHINGTON, D.C.    20S49\n\n\n     OFFICE OF\n     OI\'"FICE OF\nINSPECTOR GENERAL\nINSPECTOR    GENERAL\n\n\n                                         MEMORANDUM\n                                                March 26, 2010\n\n\n            To:              Charles Boucher, Director, Office of Information Technology\n\n            From:            H. David Kotz, Inspector General, Office of Inspector General   (OIG)t\'Jdk-\n            Subject:         2009 F/SMA Executive Summary, Report No. 472\n\n            This memorandum transmits the U.S. Securities and Exchange Commission,\n            OIG\'s final report on the 2009 Federal Information Security Management Act of\n            2002 (FISMA) Evaluation. This report provides the Commission with a summary\n            of the responses OIG reported in the FISMA Web Portal to the Office of\n            Management and Budget on November 2009.\n\n            This report does not contain any recommendations. Based on the comments\n            received to the formal draft report and our assessment of the comments, we\n            revised the report accordingly.\n\n            Should you have any questions regarding this report, please do not hesitate to\n            contact me. We appreciate the courtesy and cooperation that you and your staff\n            extended to our contractor and auditor.\n\n            Attachment\n\n\n            cc:        Kayla J. Gillan, Deputy Chief of Staff, Office of the Chairman\n                       Diego Ruiz, Executive Director, Office of the Executive Director\n                       Lewis W. Walker, Deputy Director and Chief Technology Officer, Office of\n                         Information Technology\n                       Todd Scharf, Chief Information Security Officer, Office of Information\n                         Technology\n                       Barbara Stance, Chief Privacy Officer, Office of Information Technology\n\x0c2009 FISMA Executive Summary Report\n\n                            Executive Summary\nIn August 2009, the U.S. Securities and Exchange Commission (SEC or\nCommission), Office of Inspector General (OIG), contracted with C5i Federal,\nInc. (C5i) to assist with the completion and coordination of the OIG\xe2\x80\x99s input to the\nCommission\xe2\x80\x99s response to Office of Management and Budget (OMB)\nMemorandum M-09-29 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management. The OMB\nmemorandum provides the instructions and templates for meeting the fiscal year\n(FY) 2009 reporting requirements under the Federal Information Security\nManagement Act of 2002 (FISMA), Title III, Pub. L. No. 107-347.\n\nC5i commenced work on this project in September 2009, after the final FISMA\nquestionnaires were promulgated by OMB. C5i\xe2\x80\x99s tasks included completing the\nOIG portion of the FISMA reporting template (Section C) and developing an\nExecutive Summary Report that communicates the Inspector General\xe2\x80\x99s (IG)\nresponse to the 2009 FISMA submission. In addition, the OIG requested\nseparate reports examining the Commission\xe2\x80\x99s implementation of encryption\ntechnology and the Commission\xe2\x80\x99s Privacy Program.\n\nFor 2009, OMB only accepted annual FISMA reports that were submitted online,\nusing a new automated reporting tool. This tool was designed to allow manual\ndata entry, as well as the automated upload of data. This report includes our\nrecommended responses to the questions in the 2009 FISMA questionnaires,\nwhich were promulgated separately by OMB.\n\nBackground. FISMA, 44 U.S.C. \xc2\xa7 3541, et seq., is a United States federal law\nenacted in 2002 as Title III of the E-Government Act of 2002. The statute\nrecognizes the importance of information security to the economic and national\nsecurity interests of the United States and requires each federal agency to\ndevelop, document, and implement an agency-wide program to provide\ninformation security for the information and information systems that support the\noperations and assets of the agency, including those provided or managed by\nanother agency, contractor, or other source.\n\nFISMA requires agency program officials, chief information officers, and OIG\xe2\x80\x99s to\nconduct annual reviews of the agency\xe2\x80\x99s information security and privacy\nprograms and report the results to OMB. OMB then uses the data to assist in its\noversight responsibilities and to prepare its annual report to Congress on agency\ncompliance with the statute.\n\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                         ii\n\x0cFISMA provides the framework for securing the federal government\xe2\x80\x99s information\ntechnology. All agencies must implement the requirements of FISMA and report\nannually to OMB and Congress on the effectiveness of their Privacy Program\nand Privacy Impact Assessment (PIA) processes. OMB uses the information to:\n\n       \xe2\x80\xa2   Help evaluate agency-specific and government-wide privacy\n           performance;\n       \xe2\x80\xa2   Develop its annual security report to Congress;\n       \xe2\x80\xa2   Assist in improving and maintaining adequate agency privacy\n           performance; and\n       \xe2\x80\xa2   Assist in the development of the E-Government Scorecard under the\n           President\xe2\x80\x99s Management Agenda.\n\nObjective. The objective for the FISMA assessment was to independently\nevaluate and report on how the Commission has implemented its mandated\ninformation security requirements. This report provides background information,\nclarification, and recommendations regarding the OIG\xe2\x80\x99s response and input to\nSection C of the OMB reporting template. The 2009 reporting categories and\nquestions are generally the same as they were in 2008, however, some were\nupdated based on security and privacy policies issued throughout the year.\n\nResults. The key findings and results for the 2009 FISMA evaluation include:\n\n   \xe2\x80\xa2   The Commission operates a total of 48 systems. Of those, 46 have been\n       evaluated as having a moderate system impact level. The remaining two\n       systems were evaluated as having a low system impact level.\n\n   \xe2\x80\xa2   The SEC routinely performs oversight and evaluations to ensure\n       information systems used or operated by a contractor of the agency, or\n       other organizations on behalf of the agency, meet applicable\n       requirements.\n\n   \xe2\x80\xa2   The Commission has developed an inventory of major information\n       systems. Performing a full inventory of all systems exceeded the scope of\n       our effort, but through our interviews, document reviews, and research, we\n       ascertained that the inventory is approximately 90 to 100 percent correct.\n\n   \xe2\x80\xa2   The Commission\xe2\x80\x99s Plan of Actions & Milestones (POA&M) process\n       provides an effective roadmap for continuous security improvement,\n       assists with prioritizing corrective action and resource allocation, and is a\n       valuable management and oversight tool.\n\n   \xe2\x80\xa2   The Commission\xe2\x80\x99s overall Certification and Accreditation (C&A) program\n       is assessed as being excellent, and in compliance with applicable\n       regulatory and statutory requirements.\n\n\n\n2009 FISMA Executive Summary Report                                      March 26, 2010\nReport No. 472\n                                          iii\n\x0c   \xe2\x80\xa2   The Privacy Office has made significant progress in its development of\n       privacy resources, in outreach within the Commission and Regional\n       Offices, and in benchmarking externally with other agencies. However,\n       the policies are still in draft form and therefore, the program is not fully\n       implemented throughout the Commission. Further details about this\n       matter are provided in a separate report.\n\n   \xe2\x80\xa2   The Commission has developed and disseminated formal, documented,\n       configuration management policies and implementing guidance that\n       satisfactorily addresses security configuration management requirements.\n       While not a specific question in the configuration management section of\n       the OMB reporting template, we found some areas of concern in the\n       SEC\xe2\x80\x99s encryption policies and procedures that are further detailed in a\n       separate report.\n   \xe2\x80\xa2   Federal Desktop Core Configuration (FDCC) has been successfully\n       implemented on all workstations and laptops and appropriate language\n       from Federal Acquisition Regulation (FAR) 2007-004, which modified Part\n       39\xe2\x80\x94Acquisition of Information Technology, is now included in all contracts\n       related to common security settings.\n   \xe2\x80\xa2   The Commission has robust incident prevention, detection, response, and\n       reporting capabilities and follows documented policies and procedures for\n       reporting incidents internally, to the United States Computer Emergency\n       Readiness Team (US-CERT), and to law enforcement.\n\n   \xe2\x80\xa2   As of November 15, 2009, Cyber Security Awareness training was\n       successfully completed by 4,101 of 4,383 (94 percent) users.\n\n   \xe2\x80\xa2   The Commission has monitoring systems and policies regarding the use\n       of collaborative web technologies and peer-to-peer file sharing in IT\n       security awareness training, ethics training, and other agency-wide\n       training.\n\nRecommendations. This report does not contain any formal recommendations.\nHowever, the OIG proposes that OIT use this Executive Summary report to\ndevelop the Commission\xe2\x80\x99s annual consolidated FISMA Report, in accordance\nwith OMB Memorandum M-09-29 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management.\n\n\n\n\n2009 FISMA Executive Summary Report                                       March 26, 2010\nReport No. 472\n                                          iv\n\x0cTABLE OF CONTENTS\nExecutive Summary ................................................................................................ ii\n\nTable of Contents ................................................................................................... v\n\nBackground and Objective\n     Background ....................................................................................................... 1\n     Objective ............................................................................................................ 2\n\nResults\n     Question 1: FISMA Systems Inventory .............................................................. 3\n     Question 2: Certification & Accreditation, Security Controls Testing, and\n      Contingency Plan Testing ................................................................................. 4\n     Question 3: Agency Oversight of Contractor Systems and Quality of\n      Agency Systems Inventory................................................................................ 5\n     Question 4: Evaluation of Agency Plan of Actions and Milestones Process ...... 9\n     Question 5: OIG Assessment of the Certification and Accreditation\n      Process ........................................................................................................... 12\n     Question 6: OIG Assessment of Privacy Program and PIA Process................ 17\n     Question 7: Configuration Management........................................................... 23\n     Question 8: Incident Reporting......................................................................... 28\n     Question 9: Security Awareness Training ........................................................ 37\n     Question 10: Peer-to-Peer File Sharing ........................................................... 38\n\nAppendices\n    Appendix I: Acronyms. .................................................................................... 40\n    Appendix II: Scope and Methodology.............................................................. 42\n    Appendix III: Criteria........................................................................................ 44\n    Appendix IV: Figure 1 CSAM Screenshot ....................................................... 47\n    Appendix V: Figure 2 Inventory of GAO POA&Ms .......................................... 48\n    Appendix VI: Figure 3 POA&M Entry Page. .................................................... 49\n    Appendix VII: Figure 4 POA&M Page ............................................................. 50\n    Appendix VIII: Figure 5 SEC Custom Query ................................................... 51\n    Appendix IX: Figure 6 System Inventories ...................................................... 52\n    Appendix X: Figure 7 Incident Escalation Flow Chart ..................................... 53\n    Appendix XI: Figure 8 Cyber Security Awareness Training............................. 54\n    Appendix XII: Management Comments........................................................... 55\n\n\n\n\n2009 FISMA Executive Summary Report                                                                 March 26, 2010\nReport No. 472\n                                                         v\n\x0cTables\n     Table 1: SEC Agency and Contractor Systems and Impact Level. .................... 3\n     Table 2: System Impact Levels for C&A, Tested Systems, and\n       Contingency Plans .......................................................................................... 5\n     Table 3: OIG Response to Question 3 .............................................................. 8\n     Table 4: OIG Response to Question 4. ........................................................... 11\n     Table 5: OIG Response to Question 5 ............................................................ 16\n     Table 6: OIG Response to Question 6 ............................................................ 22\n     Table 7: OIG Response to Question 7 ............................................................ 26\n     Table 8: Configuration Policy for Each OS/Platform/System........................... 27\n     Table 9: Laptop Theft Response Procedures.................................................. 31\n     Table 10: Unauthorized Access Response Procedure.................................... 32\n     Table 11: OIG Response to Question 8 .......................................................... 36\n     Table 12: OIG Response to Question 9 .......................................................... 38\n\nChart\n     Chart 1: CSIRT Organization .......................................................................... 30\n\n\n\n\n2009 FISMA Executive Summary Report                                                           March 26, 2010\nReport No. 472\n                                                     vi\n\x0cBackground and Objective\n\nBackground\n\nIn June 2009, the U.S. Securities and Exchange Commission (SEC or\nCommission), Office of Inspector General (OIG), contracted with C5i Federal,\nInc. (C5i) to assist with the completion and coordination of the OIG\xe2\x80\x99s input to the\nCommission\xe2\x80\x99s response to the Office of Management and Budget (OMB)\nMemorandum M-09-29 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management. This memorandum\nprovides instructions and templates for meeting the FY 2009 reporting\nrequirements under the Federal Information Security Management Act of 2002\n(FISMA), Title III, Pub. L. No. 107-347.\n\nC5i commenced work this evaluation in September 2009, though some activities\nwhere delayed until the final online FISMA reporting tools were promulgated by\nOMB in late October 2009. The purpose of this report is to provide background\ninformation, clarification, and recommendations regarding OIG\xe2\x80\x99s responses and\ninput to Section C of the OMB reporting template. The 2009 reporting categories\nand questions are generally the same as they were in 2008. However, some\nareas were updated based on security and privacy policies issued during the\nyear. Again this year, OMB developed a formal Privacy Assessment\nQuestionnaire that allows agencies the ability to conduct privacy evaluations.\n\nFISMA provides the framework for securing the Federal Government\xe2\x80\x99s\ninformation technology. All agencies must implement the requirements of FISMA\nand report annually to the OMB and Congress on the effectiveness of their\nPrivacy Program and Privacy Impact Assessment (PIA) process. OMB uses the\ninformation to help evaluate agency-specific and government-wide Privacy\nperformance, develop its annual security report to Congress, assist in improving\nand maintaining adequate agency privacy performance, and assist in the\ndevelopment of the E-Government Scorecard under the President\xe2\x80\x99s Management\nAgenda.\n\nThe following additional documentation is also required to be forwarded, along\nwith the consolidated annual FISMA report:\n\n   \xe2\x80\xa2   Breach Notification Policy, if changed significantly since last year\xe2\x80\x99s report;\n   \xe2\x80\xa2   Progress update on eliminating unnecessary use of Social Security\n       Numbers (SSN); and\n\n2009 FISMA Executive Summary Report                                      March 26, 2010\nReport No. 472\n                                       Page 1\n\x0c   \xe2\x80\xa2   Progress update on review and reduction of holdings of Personally\n       Identifiable Information (PII).\n\nAgencies are required to submit to OMB their most current documentation\nrelated to OMB Memorandum M-07-16, of May 22, 2007, Safeguarding Against\nand Responding to the Breach of Personally Identifiable Information. This\ninformation should be appended to the Commission\xe2\x80\x99s annual report and includes\nthe agency\xe2\x80\x99s breach notification policy; implementation plan and progress update\non eliminating unnecessary use of SSN; and implementation plan and progress\nupdates on review and reduction of holdings of PII.\n\nTasks performed by C5i included completing the OIG portion of the FISMA\nreporting template (Section C); developing the Executive Summary Report of\nOIG\xe2\x80\x99s Input; and developing a report for the Senior Agency Official for Privacy\n(SAOP) that assessed the Commission\xe2\x80\x99s privacy program. In addition, C5i\nissued a report examining the Commission\xe2\x80\x99s implementation of encryption\ntechnology.\n\nThis is the third year that OMB guidance provided direction for OIG and Office of\nInformation Technology (OIT) heads to coordinate a consensus with the SAOP\non answers to the Privacy questionnaire. In previous years, the OIG\nindependently reported on how the Chairman, Chief Information Officer (CIO),\nand program officials referred to Privacy training and creation of PIAs for the\nvarious information systems. Therefore, the agency\xe2\x80\x99s consolidated report\npresents a cohesive view of the Commission\xe2\x80\x99s IT privacy accomplishments and\nareas for improvement.\n\nObjective\nThe objective for the FISMA assessment was to independently evaluate and\nreport on how the Commission implemented its mandated information security\nrequirements.\n\n\n\n\n2009 FISMA Executive Summary Report                                   March 26, 2010\nReport No. 472\n                                      Page 2\n\x0c                                        Results\nResponse to OMB Questions\nC5i researched the applicable issue areas and gathered the information needed\nto complete the OIG\xe2\x80\x99s portion of the FISMA reporting template. Our responses to\nthe template questions were based on the results we found.\n\nQuestion 1: FISMA Systems Inventory\nIdentify the number of agency and contractor systems by component and Federal\nInformation Processing Standards (FIPS) 199 impact level (low, moderate, high).\nPlease also identify the number of systems that are used by your agency but\nowned by another federal agency (i.e., ePayroll, etc.,) by component and FIPS\n199 impact level.\n\nResponse. C5i identified a total of 48 systems. OIT evaluated 46 of these\nsystems as having a moderate FIPS system level impact level and the remaining\ntwo systems as having low FIPS system impact levels. Forty-one of these\nsystems are SEC systems and five are contractor-owned or operated systems.\nWe found that the two low-level FIPS system impact systems are contractor\nsystems, as illustrated in Table 1 below.\n\n        Table 1: SEC Agency and Contractor Systems and Impact Level\n         System Impact Level     Agency      Contractor Total\n                                 Systems     Systems\n         High System Impact Level             0         0            0\n         Moderate System Impact              41         5           46\n         Level\n         Low System Impact Level              0         2            2\n         Not Categorized                     0          0           0\n         Total                               41         7           48\n         Source: OMB FISMA Web Portal\n\nAgency systems include all systems hosted internally to the SEC that have a\nsigned Categorization Memorandum formally assigning it a FIPS-199 impact\nlevel. The SEC continues to investigate legacy applications, some of which may\neventually be reported in the inventory as distinct enterprise systems. Others\nbeing investigated may include Microsoft Office-based spreadsheets or Access\ndatabase tools that will be bundled as part of the General Support System\n(GSS), but are not reported as distinct systems. Similarly, the SEC considers all\nsystems hosted at non-SEC facilities to be contractor systems. This includes\nboth systems hosted by Federal agencies subject to FISMA and systems hosted\nby commercial firms that are not directly subject to FISMA.\n2009 FISMA Executive Summary Report                                   March 26, 2010\nReport No. 472\n                                         Page 3\n\x0cOur results are based on data gathered from a number of sources including the\nMicrosoft Excel spreadsheet entitled Compliance Workbook (a document the\nSEC/OIT office maintains and provided to the OIG), meetings and interviews that\nwere conducted with OIT staff members. In addition, OIT officials reviewed and\nverified these numbers and concurred with our assessment.\n\nWe entered the data in Table 1 above, into the appropriate entry fields in the\nOMB on-line OIG FISMA reporting tool.\n\nQuestion 2: Certification & Accreditation, Security Controls\nTesting, and Contingency Plan Testing\nFor the Total Number of Systems identified by Component/Bureau and FIPS\nSystem Impact Level in the table for Question 1, identify the number and\npercentage of systems which have: a current certification and accreditation,\nsecurity controls tested and reviewed within the past year, and a contingency\nplan tested within in accordance with policy.\n\nResponse. Certification and Accreditation (C&A) is the process used to evaluate\nsystems and major applications ensuring adherence to formal and established\nsecurity requirements that are well documented and authorized. C&A is required\nby FISMA. All systems and applications that reside on U.S. government\nnetworks must be evaluated with a formal C&A before being put into production.\nSystems are re-accredited every three years or sooner if major changes are\nmade.\n\nAs shown below in Table 2, C&A has been performed on 48 systems, and 41\nsystems security controls were tested and reviewed during the past year. We\nalso found that in accordance with applicable policies, contingency plan testing\nwas performed on 30 systems.\n\n\n\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                      Page 4\n\x0c       Table 2: System Impact Levels for C&A, Tested Systems, and\n       Contingency Plans\n        System Impact      System with      Tested     Contingency\n        Level                  C&A         Systems         Plan\n\n        High System Impact            0            0               0\n        Level\n        Moderate System               46          41              30\n        Impact Level\n        Low System Impact             2            0               0\n        Level\n        Not Categorized                0           0               0\n        Total                         48          41              30\n       Source: OMB FISMA Web Portal\n\nFor purposes of FISMA reporting, the Commission identified C&A for all agency\nand contractor\xe2\x80\x99s systems for which a formal authority to operate (accreditation)\nwas granted by the SEC Designated Accrediting Authority (i.e., the Chief\nInformation Officer (CIO)) within a three year period. An additional three month\nextension or grace period is further permissible. For example, a system that was\naccredited on September 1, 2005 would be counted as accredited if the re-\naccreditation was signed and approved within 39 months, (December 1, 2009).\nAlso, the SEC counted all systems scheduled for accreditation on or before\nSeptember 5, 2009, the cutoff date for the annual report. Beginning in April\n2010, the SEC anticipates testing Disaster Recovery plans for systems that were\nnot tested during the past 12 months.\n\nThe data in Table 2 was entered in the appropriate data entry fields on the OMB\non-line FISMA reporting tool, as shown above.\n\n\nQuestion 3: Agency Oversight of Contractor Systems and\nQuality of Agency Systems Inventory\n\n   \xe2\x80\xa2   The agency performs oversight and evaluation to ensure information\n       systems used or operated by a contractor of the agency or other\n       organization on behalf of the agency meet the requirements of FISMA,\n       OMB policy and National Institute of Standards and Technology (NIST)\n       guidelines, national security policy, and agency policy.\n\n   \xe2\x80\xa2   Does the agency have policies for oversight of contractors? Yes/No.\n       If the answer above is Yes, Is the policy implemented?\n\n\n\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                       Page 5\n\x0c   \xe2\x80\xa2   The agency has a materially correct inventory of major information\n       systems (including national security systems) operated by or under the\n       control of such agency. Yes/No.\n\n   \xe2\x80\xa2   Does the agency maintain an inventory of interfaces between the agency\n       systems and all other systems, such as those not operated by or under\n       the control of the agency? Yes/No.\n\n   \xe2\x80\xa2   Does the agency require agreements for interfaces between systems it\n       owns or operates and other systems not operated by or under the control\n       of the agency? Yes/No.\n\n   \xe2\x80\xa2   The IG generally agrees with the CIO on the number of agency-owned\n       systems. Yes/No.\n\n   \xe2\x80\xa2   The IG generally agrees with the CIO on the number of information\n       systems used or operated by a contractor of the agency or other\n       organization on behalf of the agency. Yes/No.\n   \xe2\x80\xa2   The agency inventory is maintained and updated at least annually.\n       Yes/No.\n\n   \xe2\x80\xa2   If the IG does not indicate that the agency has a materially correct\n       inventory, please identify any known missing major systems by\n       Component/Bureau, the Unique Project Identifier associated with the\n       systems as presented in the FY 2009 Exhibit 300 (if known), and indicate\n       if the system is an agency or contractor system.\n\nResponse. C5i\xe2\x80\x99s analysis revealed that that the SEC always performs oversight\nand evaluation to ensure information systems used or operated by a contractor of\nthe agency, or other organization(s) on behalf of the agency, meet FISMA\nrequirements, OMB policy, NIST guidelines, National Security policy, as well as\nagency policy.\n\nC5i based its assessment on interviews conducted with several people who are\nresponsible for managing and administering the Commission\xe2\x80\x99s information\nsystems security program, our observations, and a review of policies and\nprocedures provided by OIT. We also determined the SEC implemented\nappropriate policies 24-1.2 Introduction of New Technology Into the Agency, 24-\n1.6 Enterprise Architecture, OD 24-03.01 Process and Product Assurance\nManagement, OD 24-03.01.01 Process and Product Assurance Management:\nQuality Management, to perform the oversight and evaluation of contractor\ninformation systems.\n\n\n2009 FISMA Executive Summary Report                                  March 26, 2010\nReport No. 472\n                                      Page 6\n\x0cThe quality management (QM) policy \xe2\x80\x9cidentifies the use of QM for the systematic\nimplementation and use of planning, control, assurance, and improvement\nactivities to align the business goals, quality objectives, and process measures.\nQM may involve providing information on standards, facilitating a team, or\nidentifying and analyzing a process. Another expectation of QM is to collect\nmeasurement data and lessons learned as input to other processes and product\nassurance management activities. QM resources act as consultants in\ncontinuous process improvement activities.\xe2\x80\x9d QM has specific objectives, such as\nquality planning, quality control, quality assurance, quality improvement, and\nhelping to ensure successful implementation of a defined program. OIT\xe2\x80\x99s\nConfiguration Management and Quality Assurance (CM/QA) branch is\nresponsible for conducting the review, control, and enforcement of processes\nand product assurance for IT products within OIT and the SEC. They further\nensure that quality planning and quality controls are addressed.\n\nIn questions 3(c) and 3(d), we found that the Commission developed a complete\ninventory of major information systems that are operated by or under the control\nof the Commission. These include an identification of the interfaces between\neach of the systems and all other systems or networks, including those that are\nnot operated by or under the control of the Commission. The accuracy of the\ninventory is impossible to assess within the scope of this effort. However, we\nestimate that the inventory is approximately 90 to 95 percent complete. In March\n2008, the OIG conducted an inspection of OIT control over Commission laptops\nand found OIT did not, at that time, have the proper accountability over laptops.\n\nBased on the finding from the 2008 OIG Inspection report, OIT established an\nasset management program and issued OD 24-05.09 (01.0) IT Asset\nManagement Program and OIT-00015-002.0 Asset Inventory Procedure that\nclearly outlines the roles and responsibilities of SEC personnel for asset\nmanagement and the accountability of assets. The directive supplements the\nprescribed property management control and accountability procedures\ncontained in SEC Regulation (SECR) 9-2, Property Management Program. We\nhave also reviewed the OIT Asset Inventory report which fully documents all\nfacets of the asset (type of asset, operating system, peripherals, owner,\ndepartment/organization, serial number(s), associated inventory bar code, etc.).\nIn addition, while we are unable to verify this inventory with 100 percent\naccuracy, the inventory spreadsheet is a comprehensive document and is\nupdated on a regular basis. Additional documents reviewed: OIT-0056.001.0\nEmployee Clearance and Termination Tracking Procedure and OIT-00057.001.0\n\xe2\x80\x93 Maintenance and Update of IT Equipment in the Property Tracking System.\n\nRegarding question 3(e), we determined the SEC does require agreements to be\nin place for interfaces between systems it owns or operates and other systems\nnot operated by or under the control of the agency. Several agreements were\n\n2009 FISMA Executive Summary Report                                  March 26, 2010\nReport No. 472\n                                      Page 7\n\x0cprovided for C5i\xe2\x80\x99s review. These agreements are comprehensive and include\ndetailed information regarding the purpose of the connection, the responsibilities\nof each party, a description of the systems or networks to be interconnected,\nprocedures for responding to security incidents, disaster and contingency plans,\nfunding considerations, and numerous administrative details. As part of our\nreview, we examined Memoranda of Understanding and Interconnection Security\nAgreements between the SEC and the Department of Justice, Department of\nInterior, and other government and contracting entities.\n\nIn questions 3(f), 3(g), and 3(h), the OIG generally agrees with the CIO on the\nnumber of agency-owned systems, as well as the number of information systems\nused or operated by SEC contractors. We also noted that the inventory is\nmaintained and updated on an ongoing basis. As noted above, C5i reviewed the\ninventory processes and procedures. Although we obviously cannot assess the\naccuracy or completeness of the inventory without conducting an independent\ninventory, the inventory spreadsheet is a comprehensive document and is\nupdated on a regular basis. 1\n\nBased on our review, we answered question 3 as depicted in Table 3 below.\n\nTable 3: OIG Response to Question 3\n                                                                         Recommended\n    ID     Questions from OMB Questionnaire\n                                                                         Response\n           The agency performs oversight and evaluation to ensure\n           information systems used or operated by a contractor of the\n    3      agency or other organization on behalf of the agency meet          Yes\n           the requirements of FISMA, OMB policy and NIST\n           guidelines, national security policy, and agency policy.\n    3(a)   Does the agency have policies for oversight of contractors?        Yes\n    3(b)   If the answer above is Yes, Is the policy implemented?             Yes\n           The agency has a materially correct inventory of major\n    3(c)   information systems (including national security systems)          Yes\n           operated by or under the control of such agency.\n           Does the agency maintain an inventory of interfaces\n    3(d)   between the agency systems and all other systems, such as          Yes\n           those not operated by or under the control of the agency?\n           Does the agency require agreements for interfaces between\n    3(e)   systems it owns or operates and other systems not operated         Yes\n           by or under the control of the agency?\n           The IG generally agrees with the CIO on the number of\n    3(f)\n           agency-owned systems.\n                                                                              Yes\n\n\n1\n Additional references: OIT-00057.001.0 Maintenance and Update of IT Equipment in the\nProperty Tracking System and OIT-0056.001.0 Employee Clearance and Termination Tracking\nProcedure.\n2009 FISMA Executive Summary Report                                         March 26, 2010\nReport No. 472\n                                          Page 8\n\x0c           The IG generally agrees with the CIO on the number of\n    3(g)   information systems used or operated by a contractor of the     Yes\n           agency or other organization on behalf of the agency.\n           The agency inventory is maintained and updated at least\n    3(h)\n           annually.\n                                                                           Yes\nSource: OMB FISMA Web Portal\n\nQuestion 4: Evaluation of Agency Plan of Actions and\nMilestones Process\n\n\xe2\x80\xa2     Assess whether the agency has developed, implemented, and is managing\n      an agency-wide plan of action and milestones (POA&M) process, providing\n      explanatory detail in the area provided.\n\n\xe2\x80\xa2     Has the agency developed and documented an adequate policy that\n      establishes a POA&M process for reporting IT security deficiencies and\n      tracking the status of remediation efforts? Yes/No.\n\n\xe2\x80\xa2     Has the agency fully implemented the policy? Yes/No.\n\n\xe2\x80\xa2     Is the agency currently managing and operating a POA&M process?\n\n\xe2\x80\xa2     Is the agency\'s POA&M process an agency-wide process, incorporating all\n      known IT security weakness, including IG/external audit findings associated\n      with information systems used or operated by the agency or by a contractor of\n      the agency or other organization on behalf of the agency? Yes/No.\n\n\xe2\x80\xa2     Does the POA&M process prioritize IT security weakness to help ensure\n      significant IT security weaknesses are corrected in a timely manner and\n      receive appropriate resources? Yes/No.\n\n\xe2\x80\xa2     When an IT security weakness is identified, do program officials (including\n      CIOs, if they own or operate a system) develop, implement, and manage\n      POA&Ms for their system(s)? Yes/No.\n\n\xe2\x80\xa2     For systems reviewed:\n\n                 a. Are deficiencies tracked and remediated in a timely manner? Yes/No.\n                 b. Are the remediation plans effective for correcting the security\n                    weakness? Yes/No.\n                 c. Are the estimated dates for remediation reasonable and\n                    adhered to? Yes/No.\n\n\n\n2009 FISMA Executive Summary Report                                      March 26, 2010\nReport No. 472\n                                           Page 9\n\x0c\xe2\x80\xa2   Do Program officials and contractors report their progress on security\n    weakness remediation to the CIO on a regular basis (at least quarterly)?\n    Yes/No.\n\n\xe2\x80\xa2   Does the Agency CIO centrally track, maintain, and independently\n    review/validate POA&M activities on at least a quarterly basis? Yes/No.\n\nResponse. In response to question 4 on the OMB template, we determined that\nthe Commission maintains an effective POA&M process. The Commission\neffectively consolidates agency plans to correct security weaknesses found\nduring various security reviews, including audits performed by the OIG, system\ncertification and accreditation, Government Accountability Office (GAO) audits,\nfinancial system audits, and critical infrastructure vulnerability assessments. The\nPOA&Ms are tracked using a comprehensive compliance spreadsheet which\nallows for quarterly tracking and updates. Our assessment is that the OIT\xe2\x80\x99s\nPOA&M process provides an effective roadmap for continuous security\nimprovement, assists with prioritizing corrective action and resource allocation,\nand is a valuable management and oversight tool.\n\nIn regards to questions 4(a) and 4(b), we found that the SEC\xe2\x80\x99s POA&M process\nis defined and enforced through SEC Policy II 24-04.10.01 (02.0) IT Security\nCertification and Accreditation, dated June 29, 2005. The process has been\neffectively extended throughout the Commission, including regional offices. The\nprocess is centrally managed, includes both Commission and contractor\noperated systems, and appears to include all known IT security weaknesses\nassociated with Commission systems. In general, the plan will be developed by\nthe C&A Coordinator, with assistance from the Chief Information Security Officer\n(CISO) and OIT Technical Liaison, and will capture the decisions made regarding\nmitigating and/or accepting each of the risks enumerated in the Risk Assessment\nReport. The POA&M describes each risk, lists the selected mitigation (if any)\nand its cost (in staff or other resources), assigns responsibility for implementing\nthe mitigation, lists the completion date for the mitigation activity, and provides\njustification if the risk is to be accepted. The C&A Coordinator is responsible for\nensuring resources are applied to POA&M activities to meet the milestones\ntherein. The CISO is responsible for monitoring progress of mitigation activities\ndescribed in the POA&M, and for periodic security compliance reviews of all\ninformation systems.\n\nIn questions 4(c), 4(f), 4(h), and 4(i), we observed an effective POA&M process\nhas been implemented. When an IT security weakness is identified, program\nofficials quickly develop, implement, and manage POA&Ms for Commission\nsystems. The progress of IT security weakness is reported to the CIO on a\nquarterly basis, it is centrally tracked, maintained, and POA&M activities are\nreviewed on a quarterly basis. In addition, OIG recommendations are routinely\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                      Page 10\n\x0cincorporated into the POA&M process. The POA&M process effectively\nprioritizes IT security weaknesses to help ensure significant IT security\nweaknesses are addressed in a timely manner and they receive appropriately\nresources to address the deficiency. While no systems were formally reviewed\nduring this evaluation, our responses and conclusions are based on our review of\nselected POA&M, C&A packages, and interviews conducted with OIT personnel.\n\nIn question 4(d), we found the POA&M process has been extended throughout\nthe Commission, to include the regional offices. The process is centrally\nmanaged and it includes both Commission and contractor operated systems.\nFurther, it appears to also include known IT security weaknesses associated with\nthe Commission\xe2\x80\x99s systems.\n\nConcerning 4(e) and 4(f), we found the POA&M process effectively prioritizes IT\nsecurity weakness to help ensure significant IT security weaknesses are\ncorrected in a timely manner. We also noted that the POA&M process is fully\nsupported by senior leadership, and that appropriate resources are engaged to\nmanage risks to SEC systems and information.\n\nIn questions 4(g)1, 4(g)2 and 4(g)3, we found deficiencies are tracked and\nremediated in a timely manner, the remediation plans are effective in correcting\nsecurity weaknesses, and the estimated dates for remediation are reasonable\nand are adhered to. While the SEC is no longer required to submit quarterly\nupdates of their POA&Ms, they have continued to update their standard\nprocedure quarterly to ensure timely remediation and closure of POA&M findings.\n\nBased on our review, we entered the data shown below in Table 4, in response\nto question 4.\n\nTable 4: OIG Response to Question 4\n                                                                        Recommended\n ID      Question from OMB Questionnaire\n                                                                        Response\n         Assess whether the agency has developed, implemented, and\n         is managing an agency-wide plan of action and milestones\n 4                                                                             Yes\n         (POA&M) process, providing explanatory detail in the area\n         provided.\n         Has the Agency developed and documented an adequate\n         policy that establishes a POA&M process for reporting IT\n 4(a)                                                                          Yes\n         security deficiencies and tracking the status of remediation\n         efforts?\n 4(b)    Has the Agency fully implemented the policy?                          Yes\n         Is the Agency currently managing and operating a POA&M\n 4(c)                                                                          Yes\n         process?\n\n\n\n2009 FISMA Executive Summary Report                                      March 26, 2010\nReport No. 472\n                                      Page 11\n\x0c                                                                             Recommended\n    ID     Question from OMB Questionnaire\n                                                                             Response\n           Is the agency\xe2\x80\x99s POA&M process an agency-wide process,\n           incorporating all known IT security weakness, including\n    4(d)   IG/external audit findings associated with information systems           Yes\n           used or operated by the agency or by a contractor of the\n           agency or other organization on behalf of the agency?\n           Does the POA&M process prioritize IT security weakness to\n    4(e)   help ensure significant IT security weaknesses are corrected             Yes\n           in a timely manner and receive appropriate resources?\n           When an IT security weakness is identified, do program\n           officials (including CIOs, if they own or operate a system)\n    4(f)                                                                            Yes\n           develop, implement, and manage POA&Ms for their\n           system(s)?\n    4(g)   For Systems Reviewed:                                                    Yes\n    4(g)\n           Are deficiencies tracked and remediated in a timely manner?              Yes\n    1\n    4(g)   Are the remediation plans effective for correcting the security\n                                                                                    Yes\n    2      weakness\n    4(g)   Are the estimated dates for remediation reasonable and\n                                                                                    Yes\n    3      adhered to?\n           Do Program officials and contractors report their progress on\n    4(h)   security weakness remediation to the CIO on a regular basis              Yes\n           (at least quarterly)?\n           Does the Agency CIO centrally track, maintain, and\n    4(i)   independently review/validate POA&M activities on at least a             Yes\n           quarterly basis?\nSource: OMB FISMA Web Portal\n\n\nQuestion 5: OIG Assessment of the Certification and\nAccreditation Process\n\n\xe2\x80\xa2     Provide a qualitative assessment of the agency\xe2\x80\x99s certification and\n      accreditation process, including adherence to existing policy, guidance, and\n      standards. Agencies shall follow NIST Special Publication 800-37, Guide for\n      the Security Certification and Accreditation of Federal Information Systems\n      (May 2004) for certification and accreditation work initiated after May 2004.\n      This includes use of the FIPS 199 (February 2004), Standards for Security\n      Categorization of Federal Information and Information Systems, to determine\n      a system impact level, as well as associated NIST documents used as\n      guidance for completing risk assessments and security plans. Provide\n      explanatory detail in the area provided.\n\xe2\x80\xa2     Has the Agency developed and documented an adequate policy for\n      establishing a certification and accreditation process that follows the NIST\n      framework? Yes/No.\n\n2009 FISMA Executive Summary Report                                           March 26, 2010\nReport No. 472\n                                          Page 12\n\x0c\xe2\x80\xa2   Is the Agency currently managing and operating a C&A process in\n    compliance with its policies? Yes/No.\n\n        \xe2\x80\xa2   For systems reviewed, does the C&A process adequately provide:\n            (Check all that apply)\n                      o Appropriate risk categories\n                      o Adequate risk assessments\n                      o Selection of appropriate controls\n                      o Adequate testing of controls\n                      o Regular monitoring of system risks and the adequacy of\n                          controls\n\n        \xe2\x80\xa2   For systems reviewed, is the Authorizing Official presented with\n            complete and reliable C&A information to facilitate an informed system\n            Authorization to Operate decision based on risks and controls\n            implemented? Yes/No.\n\nResponse. C5i found the overall C&A program is excellent. The C&A and risk\nmanagement processes are well defined, mature, well managed, and compliant\nwith applicable regulatory and statutory requirements. The full C&A packages for\nthe GSS and Automated Procurement System (APS) were provided and were\nfully reviewed as part of the assessment. We reviewed security plans and the\nsecurity planning processes, systems tests and evaluations, security control\ntesting procedures and results, incident handling, security awareness training,\nand configuration and patch management. In 2008, the Commission purchased\nthe U.S. Department of Justice sponsored Cyber Security Assessment and\nManagement (CSAM) application. CSAM is a web-enabled system capable of\nassisting a Federal agency in meeting its obligations for C&A activities as defined\nby the OMB, NIST, and FISMA. A sample CSAM screen shot is shown in Figure\n1, located in the Appendices of this report.\n\nCSAM enables the SEC to accomplish the following tasks:\n\n    \xe2\x80\xa2   Store information about each agency system and application (inventory of\n        systems).\n    \xe2\x80\xa2   Create and maintain the System Security Plan for each system.\n    \xe2\x80\xa2   Store system-specific documents including Disaster\n        Recovery/Contingency Plan, Authority to Operate Memo, Interface\n        Agreements, etc.\n    \xe2\x80\xa2   Store and track vulnerabilities in system POA&M.\n    \xe2\x80\xa2   Perform and store results of Risk Assessments and Security Test and\n        Evaluations (ST&E) on each system following the current NIST\n        requirements (Special Publications 800-53 and 800-53A).\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                      Page 13\n\x0c    \xe2\x80\xa2   Produce quarterly and annual FISMA reports for OMB using mostly\n        automated CSAM functionality.\n    \xe2\x80\xa2   Produce reports showing various aspects of security in the agency\xe2\x80\x99s\n        systems, including management snapshots, upcoming and overdue C&A\n        tasks, and detailed reports of open POA&M items.\n\nCSAM was fully deployed at the SEC in March 2009. CSAM is externally hosted\nby the Department of Justice and contains the SEC\xe2\x80\x99s C&A information. CSAM\ntracks system inventory, including names, security categorization of each\ninformation system, status of C&A activities, weakness descriptions and\nremediation plans in the form of POA&M, NIST 800-53 control assessment\nresults, as well as audit finding maintenance, monitoring, and tracking. The SEC\nused CSAM to generate FISMA quarterly reports for the past two quarters. In\naddition, OIT uses CSAM to track GAO and OIG audit findings. OIT Security\nadministers CSAM and it is used by other OIT divisions to track audit findings.\nGAO\xe2\x80\x99s inventory of POA&Ms is shown in Figure 2, located in the Appendices of\nthis report.\n\nOIT expects use of CSAM will provide a consistent approach to C&A in the\nCommission, allowing documents and status to be located and maintained in a\nmore efficient way than the present manual processes. CSAM is one of two\nOMB Security Line of Business initiatives.\n\nIn response to question 5(a), we found the SEC has developed and documented\nadequate policy for establishing a certification and accreditation process that\nfollows the NIST framework. The policy 2 establishes uniform policies,\nresponsibilities, and authorities for the C&A of major applications and general\nsupport systems at the SEC. The policy further implements higher level policies\nsuch as SEC Regulation (SECR) 24-04, Information Technology Security\nProgram, Operating Directive (OD) 24-04.10 IT Security Compliance, FISMA,\nand OMB Circular A-130, Appendix III, Security of Federal Automated\nInformation Resources.\n\nIn question 5(b), we found that the SEC is currently managing and operating a\nC&A process in compliance with its policies.\n\nIn questions 5(c)1, 2, 3, 4 and 5, we found the C&A process adequately provides\nappropriate risk categories, adequate risk assessments, selection of appropriate\ncontrols, adequate testing of controls, and regular monitoring of system risks and\nthe adequacy of controls. The SEC C&A program was developed using\nguidance from NIST. 3 SEC Policy II 24-04.10.01 (02.0) Implementing Instruction:\n\n2\n SEC II 24-04.10.01 (02.0) IT Security Certification and Accreditation, dated June 29, 2005.\n3\n See 800-37 Guide for the Security Certification and Accreditation of Federal Information\nSystems, NIST 800-53 Recommended Security Controls for Federal Information Systems and\n2009 FISMA Executive Summary Report                                              March 26, 2010\nReport No. 472\n                                          Page 14\n\x0cIT Security Certification and Accreditation (June 29, 2005) has established \xe2\x80\x9cthe\nuniform policies, responsibility, and authorities for the C&A of major applications\nand general support systems at the SEC.\xe2\x80\x9d We reviewed data provided by SEC\n(i.e., ST&E, POA&M, System Security Plan, and Risk Assessment) and all the\ndata provided supports our conclusion that SEC clearly applies the guidance and\nbest practices defined in the NIST and OMB guidance. The Commission\xe2\x80\x99s C&As\nare performed by an independent third-party, the Science Applications\nInternational Corporation (SAIC), which ensures an independent evaluation and\nassessment of the systems to be certified and accredited.\n\nIn question 5(d), we found the authorizing official is presented with complete and\nreliable C&A information to facilitate an informed system Authorization to Operate\ndecision based on risks and controls implemented. As referenced in the previous\nquestions, the SEC has a very thorough C&A process that was developed using\nNIST and OMB guidance.\n\nExamples of POA&M entry pages are shown in Figure 3 and 4, located in the\nAppendices of this report. Our response to question 5 is shown below in Table 5.\n\n\n\n\nOrganizations, NIST 800-53A Guide for Assessing the Security Controls in Federal Information\nSystems, and OMB Circular A-130 Security of Federal Automated Information Resources.\n2009 FISMA Executive Summary Report                                              March 26, 2010\nReport No. 472\n                                          Page 15\n\x0cTable 5: OIG Response to Question 5\n                                                                         Recommended\n ID       Question from OMB Questionnaire\n                                                                         Response\n          Provide a qualitative assessment of the agency\xe2\x80\x99s\n          certification and accreditation process, including adherence\n          to existing policy, guidance, and standards. Agencies shall\n          follow NIST Special Publication 800-37, Guide for the\n          Security Certification and Accreditation of Federal\n          Information Systems (May 2004) for certification and\n 5        accreditation work initiated after May 2004. This includes     See text below\n          use of the FIPS 199 (February 2004), Standards for\n          Security Categorization of Federal Information and\n          Information Systems, to determine a system impact level,\n          as well as associated NIST documents used as guidance\n          for completing risk assessments and security plans. Provide\n          explanatory detail in the area provided.\n          Has the Agency developed and documented an adequate\n 5(a)     policy for establishing a certification and accreditation            Yes\n          process that follows the NIST framework?\n          Is the Agency currently managing and operating a C&A\n 5(b)                                                                          Yes\n          process in compliance with its policies?\n          For systems reviewed, does the C&A process adequately\n 5(c)\n          provide: (check all that apply)\n 5(c)1    Appropriate risk categories                                       Check Box\n 5(c)2    Adequate risk assessments                                         Check Box\n 5(c)3    Selection of appropriate controls                                 Check Box\n 5(c)4    Adequate testing of controls                                      Check Box\n          Regular monitoring of system risks and the adequacy of\n 5(c)5                                                                      Check Box\n          controls\n          For systems reviewed, is the Authorizing Official presented\n          with complete and reliable C&A information to facilitate an\n 5(d)                                                                          Yes\n          informed system Authorization to Operate decision based\n          on risks and controls implemented?\nSource: OMB FISMA Web Portal\n\nWe provided the following information in the comment box for Question 5:\n\n         \xe2\x80\x9cC5i found the overall C&A program to be excellent. The\n         SEC C&A program was developed using guidance from\n         NIST 800-37 Guide for the Security Certification and\n         Accreditation of Federal Information Systems, NIST 800-53\n         Recommended Security Controls for Federal Information\n         Systems and Organizations, NIST 800-53A Guide for\n         Assessing the Security Controls in Federal Information\n         Systems, and OMB Circular A-130 Security of Federal\n         Automated Information Resources. SEC Policy II 24-\n         04.10.01 (02.0) Implementing Instruction: IT Security\n2009 FISMA Executive Summary Report                                          March 26, 2010\nReport No. 472\n                                        Page 16\n\x0c       Certification and Accreditation (June 29, 2005) has\n       established \xe2\x80\x9cthe uniform policies, responsibility, and\n       authorities for the C&A of major applications and general\n       support systems at the SEC\xe2\x80\x9d. We reviewed artifacts\n       provided by SEC (ST&E, POA&M, System Security Plan,\n       and Risk Assessment) \xe2\x80\x93 specifically for GSS and APS - and\n       all artifacts support our conclusion that SEC clearly applies\n       the guidance and best practices defined in the NIST and\n       OMB guidance. The C&As are performed by an\n       independent third-party (SAIC) ensuring an independent\n       evaluation and assessment of the systems to be certified\n       and accredited.\xe2\x80\x9d\n\nQuestion 6: OIG Assessment of Privacy Program and PIA\nProcess\n\n\xe2\x80\xa2   Provide a qualitative assessment of the agency\xe2\x80\x99s process, as discussed in\n    Section D, for protecting privacy-related information, including adherence to\n    existing policy, guidance and standards. Provide explanatory information in\n    the area provided.\n\n\xe2\x80\xa2   Has the Agency developed and documented adequate policies that comply\n    with OMB guidance in M-07-16, M-06-15, and M-06-16 for safeguarding\n    privacy-related information? Yes/No.\n\n\xe2\x80\xa2   Is the Agency currently managing and operating a privacy program with\n    appropriate controls in compliance with its policies? Yes/No.\n\n\xe2\x80\xa2   Has the Agency developed and documented an adequate policy for Privacy\n    Impact Assessments? Yes/No/NA.\n\n\xe2\x80\xa2   Has the Agency fully implemented the policy and is the Agency currently\n    managing and operating a process for performing adequate privacy impact\n    assessments? Yes/No/NA.\n\nResponse. During our assessment of the privacy program, we identified some\nsignificant problems with its policies, specifically the lack of approved and\nimplemented policies. Currently, the SEC has only finalized one privacy policy\nfor PII. The OIT Privacy Office has devoted a significant amount of time and\nmoney to drafting new policy documents and implementing guidance.\n\n\n\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                      Page 17\n\x0cWhen the Privacy office transitioned to OIT, a contractor was brought in to review\nthe existing draft SECR 31-1 and to draft other SEC privacy policies for review.\nSpecifically, the contractor was to perform the tasks shown below.\n\n             \xe2\x80\xa2   C.3.4.8 Policy Review and Development.\n\n             \xe2\x80\xa2   C.3.4.8.1 Current Policies. The contractor shall review current\n                 privacy policies, procedures, standards, and guidelines for\n                 conformance with current federal requirements and industry\n                 standards. The contractor shall address the content and\n                 effectiveness of SEC documents for adequacy and consistency\n                 with legislation, regulations, and guidelines considering the SEC\n                 mission.\n\n             \xe2\x80\xa2   C.3.4.8.2 New Requirements Review. The contractor shall review\n                 and comment on new and proposed policies, legislation, standards,\n                 and guidance from federal policy authorities such as circulars and\n                 memoranda from OMB. The contractor shall keep the Privacy\n                 Office informed of all new privacy issues, topics, policy, and\n                 guidance in a timely manner. The contractor shall develop and\n                 deliver to the TM for review and approval any required guidance\n                 and memoranda on new privacy requirements, topics, and issues.\n\n             \xe2\x80\xa2   C.3.4.8.3 Policy Changes. The contractor shall work with SEC\n                 personnel to develop or update internal and web-based privacy\n                 policies, procedures, standards, and guidelines based on new\n                 federal legislation, regulations, policies, standards, and guidelines\n                 to serve as the foundation of SEC privacy practices. The contractor\n                 shall update the documents as required by new guidelines. The\n                 contractor shall deliver these documents to the TM for review and\n                 approval.\n\nFor clarity, below is OIT\xe2\x80\x99s Policy development/approval process:\n\n   1.\n        a)\n        b)\n        c)\n        d)\n\n\n   2.\n\n        a)\n2009 FISMA Executive Summary Report                                       March 26, 2010\nReport No. 472\n                                        Page 18\n\x0c        b)\n        c)\n        d)\n        e)\n\n   3.\n\n\n   4.\n\n\n\n        a)\n        b)\n        c)\n        d)\n\n   5.\n\n\n   6.\n\n\n\n\n   7.\n\n\n\n\n   8.\n\n\n\n\n   9.\n\n\nThe following documents are posted on OIT\xe2\x80\x99s website to assist in preparing\npolicy documents: \xe2\x80\x9cIT Policy Development Process,\xe2\x80\x9d \xe2\x80\x9cWriting Tips and Tools and\nII 24-06.05.01,\xe2\x80\x9d Preparing and Approving Information Technology-Related\nPolicy.\xe2\x80\x9d\n\n\n2009 FISMA Executive Summary Report                                March 26, 2010\nReport No. 472\n                                      Page 19\n\x0cThe Draft SECR 31-1 policy was initially submitted to the IRM branch in March\n2007, per OIT policy review process, and changed hands in IRM in September\n2007 due to at that time, the OIT Policy Manager leaving the SEC. This resulted\nin several internal iterations of the draft SECR 31-1. Subsequently and pursuant\nto OMB Memo 07-16, additional draft policies were submitted to IRM for review.\nThese included policies for breach notification (Privacy Incident Management);\nReduction of SSNs; and Rules of Conduct for Safeguarding PII.\n\nOn the dates listed below, OIT issued the following policy documents for external\nreviews.\n\n\n   \xe2\x88\x92\n   \xe2\x88\x92\n\n   \xe2\x88\x92\n\n           o\n\n           o\n           o\n           o\n\n\n   \xe2\x88\x92\n\n\n\n   \xe2\x88\x92\n\n\n\n   \xe2\x88\x92\n\nThe OED provided comments to the SECR 24.08 Privacy Program on December\n8, 2008, which resulted in restructuring the privacy tiered framework and\nessentially redrafting the SECR. As a result of the redrafted SECR, policy\nprovisions for Use and Reduction of SSNs and Rules of Conduct were\nincorporated into the draft SECR. The Privacy Office met with the OED and\ndiscussed their comments and plans to revise policy at the agency. Based on\nthat meeting and written comments, another draft SECR with attachments was\nprovided to OED on March 31, 2009. The OED requested clarification, and in\nsome instances, additional information such as sources of definitions. The OED\nthen restructured the outline of the document and edited/added content, and\n2009 FISMA Executive Summary Report                                  March 26, 2010\nReport No. 472\n                                      Page 20\n\x0cprovide to OIT a rewrite of the SECR on November 17, 2009, including renaming\nthe SECR to Management and Protection of Privacy Act Records and other PII. 4\nThe draft OD, Privacy Incident Management is still under OED review.\nAccordingly, these documents have not been formally approved, due to delays\nwithin the Commission. Therefore, we cannot state with assurance that the SEC\nis currently managing and operating its privacy program with the appropriate\ncontrols. Although the Privacy Office has made some progress with acquiring\nresources, performing outreach efforts within the Commission and Regional\noffices, as well as benchmarking with external agencies, the absence of\nformalized policies limit the Commission\xe2\x80\x99s ability to implement an effective\nprivacy program.\n\nIn reviewing the Draft policies for Privacy Incident Management and the Privacy\nProgram, 5 we found it thoroughly documents the roles, responsibilities, and\nprocedures. 6 The Draft policies we reviewed were still under revision.\nTherefore, we cannot comment on whether the newly-drafted policy contains the\nsame information as the Draft policies we reviewed for the 2009 FISMA\nreporting.\n\nThe Commission continues to make progress in their outreach to SEC Divisions,\nOffices and Regional Offices to increase compliance with privacy documentation\n\xe2\x80\x93 Privacy Analysis Worksheets, PIA, and Privacy Act System of Records Notices\nfor programs and systems involving PII. Compliance efforts included updating\nand disseminating the Privacy Impact Assessment Guide (January 2007) and\nconducting training and seminars to apprise employees and contractors\nregarding the requirements. Additionally, the Privacy Office conducted a review\nof its existing inventory of System of Records Notice for the purpose of reducing\nthe use of SSNs within the Commission.\n\nIn question 6(a) of the reporting template, we found the SEC Privacy Program\nand PIA processes will be implemented with the approval of the Draft SEC\nRegulation (SECR) 24-08 Management and Protection of Privacy Act Records\n\n\n4\n  Since the submission of the responses to the FISMA questionnaires, a draft policy was\nsubmitted on December 17, 2009 for external and internal OIT management review with a\nJanuary 18, 2010 comment due date.\n5\n  SECR 24-08 (01.0) SEC Regulation: Privacy Program and OD 24-08.07 (01.0) Operating\nDirective: Privacy Incident Management).\n6\n  The guidance was based on The Privacy Act of 1974, Title 5 U.S. C. \xc2\xa7552a; Federal Information\nSecurity Management Act (FISMA) of 2002, E-Government Act of 2002 Public Law 107-347, Title\nIII; OMB Memorandum 05-08 (M-05-08), Designation of Senior Agency Officials for Privacy; OMB\nCircular A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About\nIndividuals; Regulations Pertaining to the Privacy of Individuals and Systems of Records\nMaintained by the Commission, Title 17 C.F.R \xc2\xa7 200.301 \xe2\x80\x93 200.313, and OMB Memorandum M-\n07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.\n2009 FISMA Executive Summary Report                                               March 26, 2010\nReport No. 472\n                                           Page 21\n\x0cand Other PII. The Commission has identified appropriate responsible\npersonnel, including a SAOP/CIO and Chief Privacy Officer (CPO).\n\nIn question 6(b), we found the SEC is currently developing a privacy program\nwith appropriate controls. Though draft policy has been developed, it has not\nbeen implemented.\n\nRegarding question 6(c), we found OIT developed a Privacy Impact Assessment\nGuide (January 2007) and intends to formally document its PIA process with the\napproval of the SECR 24-08, Management and Protection of Privacy Act\nRecords and other PII, which consists of governing policy.\n\nIn question 6(d), we found that the SEC is drafting policies that are consistent\nwith guidance provided by the applicable federal laws and regulations. 7\nHowever, these policies (SECR 24-08 Management and Protection of Privacy\nAct Records and other PII and OD 24-08.07 Operating Directive: Privacy Incident\nManagement) are still in DRAFT and have not been approved and implemented\nthroughout the Commission. We must note that OIT developed a Privacy Impact\nAssessment Guide (January 2007) and intends to formally document its PIA\nprocess once the SECR is approved.\n\nWe provided our response to question 6 as shown in Table 6.\n\nTable 6: OIG Response to Question 6\n                                                                           Recommended\n    ID     Question from OMB Questionnaire\n                                                                           Response\n           Provide a qualitative assessment of the agency\xe2\x80\x99s process,\n           as discussed in Section D, for protecting privacy-related\n    6      information, including adherence to existing policy, guidance   See text below\n           and standards. Provide explanatory information in the area\n           provided.\n           Has the Agency developed and documented adequate\n           policies that comply with OMB guidance in M-07-16, M-06-\n    6(a)                                                                          No\n           15, and M-06-16 for safeguarding privacy-related\n           information?\n           Is the Agency currently managing and operating a privacy\n    6(b)   program with appropriate controls in compliance with its               No\n           policies?\n\n\n\n7\n For example The Privacy Act of 1974, Title 5 U.S. C. \xc2\xa7552a; Federal Information Security\nManagement Act (FISMA) of 2002, E-Government Act of 2002 Public Law 107-347, Title III; OMB\nMemorandum 05-08 (M-05-08), Designation of Senior Agency Officials for Privacy; OMB Circular\nA-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals;\nRegulations Pertaining to the Privacy of Individuals and Systems of Records Maintained by the\nCommission, Title 17 C.F.R \xc2\xa7 200.301 \xe2\x80\x93 200.313).\n2009 FISMA Executive Summary Report                                            March 26, 2010\nReport No. 472\n                                           Page 22\n\x0c                                                                   Recommended\n ID       Question from OMB Questionnaire\n                                                                   Response\n          Has the Agency developed and documented an adequate\n 6(c)                                                                    No\n          policy for Privacy Impact Assessments?\n          Has the Agency fully implemented the policy and is the\n 6(d)     Agency currently managing and operating a process for          No\n          performing adequate privacy impact assessments?\nSource: OMB FISMA Web Portal\n\n\nQuestion 7: Configuration Management\n\n      \xe2\x80\xa2   Is there an agency-wide security configuration policy? Yes/No.\n      \xe2\x80\xa2   What tools, techniques is your agency using for monitoring compliance?\n      \xe2\x80\xa2   Indicate the status of the implementation of Federal Desktop Core\n          Configuration (FDCC) at your agency:\n\n            o Agency has documented deviations from FDCC standard\n              configuration. Yes/No.\n\n            o New Federal Acquisition Regulation 2007-004 language, which\n              modified \xe2\x80\x9cPart 39\xe2\x80\x94Acquisition of Information Technology\xe2\x80\x9d, is\n              included in all contracts related to common security settings.\n              Yes/No.\n\nResponse. C5i noted that the Commission has developed and disseminated\nformal, documented, configuration management policies and implementing\nguidance that addresses project configuration management. The policy is set\nforth in II 24-03.01.02(01.0) Implementing Instruction Process and Product\nAssurance Management Configuration Management, dated December 21, 2005\nand II 24-04.04.02 (01.1), Implementing Instruction for IT Security Configuration\nManagement.\n\nThese Implementing Instructions establish uniform policies, authorities,\nresponsibilities, and procedures for IT security configuration management as\ndirected in Operating Directive (OD) 24-04.04, IT Security Operations and\nCommunications Security Management Program. All policies, authorities,\nresponsibilities, and procedures listed are guided by requirements listed in SEC\nRegulation (SECR) 24-04, Information Technology Security Program.\n\nThis instruction identifies configuration management planning as a process\nmanaged by OIT\xe2\x80\x99s CM/QA branch and other OIT organizations engaged in\nproject IT activities and provides a Project CM Plan template that describes\nconfiguration management activities in terms of configuration identification,\n\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                       Page 23\n\x0cbaseline management, configuration control, status accounting, audits, and\nconfiguration management tools.\n\nWhile not specifically addressed in the configuration management questions, we\nfound some areas of concern in the SEC Encryption Program and policies which\nare further detailed in a separate SEC Encryption Program report.\n\nIn question 7(a), the                                                         is\nused to monitor real-time compliance with an established configuration baseline.\nThe                 , in conjunction with administrative procedures already in place\nthrough formal SEC change management policies and procedures, effectively\nmanages configuration compliance.\n\nAny changes related to IT security follow the formal change management\nprocedures established by the CM/QA branch, documented in OP 24-\n03.01.02.07 Configuration Control: Change Management and other related\npolicies.\n\nThe SEC has implemented appropriate policies 24-1.2 Introduction of New\nTechnology Into the Agency, 24-1.6 Enterprise Architecture, OD 24-03.01\nProcess and Product Assurance Management, OD 24-03.01.01 Process and\nProduct Assurance Management: Quality Management to perform oversight and\nevaluation of contractor information systems. The Quality Management (QM)\npolicy \xe2\x80\x9cidentifies the use of QM for the systematic implementation and use of\nplanning, control, assurance, and improvement activities to align the business\ngoals, quality objectives, and process measures. Effective QM designs,\ndevelops, and implements guidance processes that assure accuracy and\nintegrity. QM may involve providing information on standards, facilitating a team,\nor identifying and analyzing a process. Another expectation of QM is to collect\nmeasurement data and lessons learned as input to other process and product\nassurance management activities. QM resources act as consultants in\ncontinuous process improvement activities.\xe2\x80\x9d QM has specific objectives, i.e.,\nquality planning, quality control, quality assurance, and quality improvement, and\nhelping to ensure successful implementation. OIT\xe2\x80\x99s CM/QA branch is\nresponsible for conducting the review, control, and enforcement of the process\nand product assurance for IT products within OIT and the SEC, as well as\nensuring that quality planning and quality control are addressed.\nSome of the key components of the change management process are\nhighlighted below, focusing on specific considerations related to IT security. A\nchange request is prepared and initiated by a requester using the enterprise\nchange control tool. The enterprise change control tool is administered by OIT\xe2\x80\x99s\nCM/QA branch within the Office of Enterprise Architecture. The information that\na requester inputs into the change control tool generates a System Change\nRequest. The OIT Security Group\xe2\x80\x99s Operational Change Control Board (O-CCB)\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                      Page 24\n\x0cmembers review system change requests to evaluate and assess whether there\nare IT security implications. Information system components (hardware,\noperating system, utility, and applications) with IT security features require\ntesting prior to the implementation of the change into the production environment,\npreventing unwarranted downtime of the production environment. 8\n\nWhen a change to an existing information system is proposed, the OIT Security\nGroup O-CCB member conducts an impact analysis to determine the effects, if\nany, on the integrity and availability of the information and information system.\nThis analysis ensures changes do not introduce new vulnerabilities or diminish\nexisting IT security controls. In addition to the impact analysis, IT security testing\nand evaluation are conducted for proposed changes that have IT security\nimplications and features. Once testing is completed and IT security implications\nare evaluated and assessed, O-CCB either approves or disapproves the\nproposed changes. The results of the analysis and any IT security testing and\nevaluation are documented within the enterprise change control tool.\n\nQuestion 7(b). The FDCC is an OMB mandate that requires all Federal\nagencies to standardize the configuration of approximately 300 settings on\nWindows computers, agency-wide. The reason for this standardization is to\nstrengthen Federal IT security by reducing the opportunity for hackers to access\nand exploit government computer systems. On September 18, 2009, the SEC\nOIT/End User Technology branch pushed the FDCC settings to all workstations\nand laptops by Active Directory Group Policy Object (GPO).\n\nQuestion 7(c). The SEC had no documented deviations from FDCC standard\nconfiguration. The FDCC standard configuration was fully implemented in\naccordance with SEC OIT Memorandum, September 29, 2009.\n\nQuestion 7(d). Federal Acquisition Regulation 2007-004 language, which\nmodified Part 39\xe2\x80\x94Acquisition of Information Technology, is included in all\ncontracts related to common security settings. These requirements were\npromulgated in an SEC OIT Memorandum dated September 29, 2009.\n\nOur response to question 7 is shown as follows in Table 7.\n\n\n\n\n8\n    See OD 24-03.01-C01Operations Configuration Control Board (O-CCB) Charter.\n\n2009 FISMA Executive Summary Report                                              March 26, 2010\nReport No. 472\n                                          Page 25\n\x0cTable 7: OIG Response to Question 7\n                                                                     Recommended\n ID      Question from OMB Questionnaire\n                                                                     Response\n                                                                     Yes \xe2\x80\x93 See text\n 7       Is there an agency-wide security configuration policy?\n                                                                         below\n       What tools, techniques is your agency using for monitoring\n 7(a)                                                                See text below\n       compliance?\n       For each OS/platform/system for which your agency has a\n 7(a)1 configuration policy, please indicate the status of           See table below\n       implementation for that policy.\n       Indicate the status of the implementation of FDCC at your\n 7(b)                                                                     Yes\n       agency:\n       Agency has documented deviations from FDCC standard\n 7(c)                                                                     Yes\n       configuration.\n       New Federal Acquisition Regulation 2007-004 language,\n       which modified \xe2\x80\x9cPart 39\xe2\x80\x94Acquisition of Information\n 7(d)                                                                     Yes\n       Technology\xe2\x80\x9d, is included in all contracts related to common\n       security settings.\nSource: OMB FISMA Web Portal\n\nQuestion 7. The                   is used to monitor real-time compliance with an\nestablished configuration baseline. This tool, in conjunction with administrative\nprocedures already in place, i.e., Implementation Instructions for Configuration\nManagement within the formal SEC change management policies and\nprocedures, effectively enforces configuration compliance. All system changes\nfollow the formal change management procedures established by OIT\xe2\x80\x99s CM/QA\nbranch and are documented in the configuration control operations plan and\nother related policies.\n\nAlthough encryption is not a specific FISMA question, our FISMA review included\nan assessment of the SEC\xe2\x80\x99s encryption policies and procedures. During our\nevaluation, we discovered some areas of concern with encryption\nimplementation. We performed a full evaluation of the SEC\xe2\x80\x99s Encryption\nProgram and provided recommendation for improvement in a separate report.\n\nQuestion 7(a). Changes related to IT security follow the formal change\nmanagement procedures established by the CM/QA branch, documented in OP\n24-03.01.02.07 Configuration Control: Change Management and related\npolicies. Some of the key components of the change management process are\nhighlighted below, focusing on specific considerations related to IT security. A\nchange request is prepared and initiated by a requester using the enterprise\nchange control tool. The enterprise change control tool is administered by OIT\xe2\x80\x99s\nCM/QA branch within the Office of Enterprise Architecture. Information the\nrequester puts into the change control tool generates a system change request.\nMembers of OIT\xe2\x80\x99s Security Group, O-CCB, review system change requests to\nevaluate and assess IT security implications. Information system components\n2009 FISMA Executive Summary Report                                     March 26, 2010\nReport No. 472\n                                        Page 26\n\x0c(i.e., hardware, operating system, utility, and applications) with IT security\nfeatures require testing prior to implementing the change into the production\nenvironment. This prevents unwarranted production downtime.\n\nWhen a change to an existing information system is proposed, O-CCB members\nconduct an impact analysis to determine the effects, if any, on the integrity and\navailability of the information and information system. This analysis ensures\nchanges do not introduce new vulnerabilities or diminish existing IT security\ncontrols. In addition to the impact analysis, IT security testing and evaluation is\nconducted for all proposed changes that have IT security implications and\nfeatures. Upon completion of testing and when all IT security implications are\nevaluated and assessed, the O-CCB approves or disapproves the proposed\nchanges. The results of the analysis and any IT security testing and evaluation\nare documented in the change control tool. Configuration Policy for\nOS/Platform/System is illustrated below in Table 8.\n\nTable 8: Configuration Policy for Each OS/Platform/System\n OS/Platform/System     Tool/Technique Tool Category Implementation\n                        Name                             Status\n                                                Vulnerability    Fully Implemented\n                                                Scanners\n                                                Vulnerability    Fully Implemented\n                                                Scanners\n                                                Vulnerability    Fully Implemented\n                                                Scanners\n                                                                 In Process\n                                                Configuration    Fully Implemented\n                                                Scanner\n                                                Configuration    Fully Implemented\n                                                Scanner\n                                                Configuration    Fully Implemented\n                                                Scanner\n                                                                 Fully Implemented\n                                                Vulnerability    Fully Implemented\n                                                Scanners\n                                                Vulnerability    Fully Implemented\n                                                Scanners\n                                                Vulnerability    Fully Implemented\n                                                Scanners\n                                                Vulnerability    Fully Implemented\n                                                Scanners\n Microsoft Office                                                In Process\n SharePoint Server 2007\n Microsoft Office 2007                                           In Process\n Microsoft Outlook 2007                                          In Process\n\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                      Page 27\n\x0c OS/Platform/System            Tool/Technique Tool Category      Implementation\n                               Name                              Status\n                                                 Vulnerability   Fully Implemented\n                                                 Scanners\n                                                 Vulnerability   Fully Implemented\n                                                 Scanners\n                                                 Vulnerability   Fully Implemented\n                                                 Scanners\n                                                 Vulnerability   Fully Implemented\n                                                 Scanners\n                                                 Vulnerability   Fully Implemented\n                                                 Scanners\n                                                 Vulnerability   Fully Implemented\n                                                 Scanners\n Microsoft Word 2007                                             In Process\n Mysql5                                                          Fully Implemented\n                                                 Vulnerability   Fully Implemented\n                                                 Scanners\n\n                                                 Vulnerability   Fully Implemented\n                                                 Scanner\n                                                                 Fully Implemented\n\n                                                 Vulnerability   Fully Implemented\n                                                 Scanner\n                                                 Vulnerability   Fully Implemented\n                                                 Scanner\n\n                                                 Vulnerability   Fully Implemented\n                                                 Scanner\n                                                 Vulnerability   Fully Implemented\n                                                 Scanner\nSource: OMB FISMA Web Portal\n\n\nQuestion 8: Incident Reporting\n\n    \xe2\x80\xa2    How often does the agency comply (with) documented policies and\n         procedures for identifying and reporting incidents internally? Answer will\n         be a percentage range.\n\n    \xe2\x80\xa2    How often does the agency comply with documented policies and\n         procedures for timely reporting of incidents to US CERT? Answer will be\n         a percentage range.\n\n    \xe2\x80\xa2    How often does the agency comply documented policy and procedures\n         for reporting to law enforcements? Answer will be a percentage range.\n2009 FISMA Executive Summary Report                                     March 26, 2010\nReport No. 472\n                                       Page 28\n\x0cResponse. C5i found that the Commission does follow its documented policies\nand procedures for reporting incidents internally, to the United States Computer\nEmergency Response Team (US-CERT), and to law enforcement. The SEC has\na very robust Incident Response program using guidance and best practices\nfrom NIST, OMB, and FISMA.\n\nThe SEC has implemented the following policies to address Incident Response\nprocesses (details on these processes are provided below): OD 24-04.07\nInformation Security Incident Management, II 24-04.07.01 Computer Security\nIncident Response Capability, OP 24-04.07.01.02 Handling Inappropriate Usage\nIncidents, OP 24-04.07.01.03 Handling of Denial of Service Incidents, OP24-\n04.07.01.04 Handling Unauthorized Access Incidents, OP 24-04.07.01.05\nHandling Laptop Theft and Tampering Incidents, OP 24-04.07.01.05.A01 Laptop\nTheft and Tampering Incident Materials, SEC Incident Response Capability\nHandbook, and II 24-04.07.01.A01 SEC Incident Response Capability Handbook.\n\nIncident Response Capability Handbook\n\nThe Incident Response Capability (IRC) handbook was developed by the SEC to\nassist in the mission of the SEC Computer Security Incident Response Team\n(CSIRT). The handbook clearly and fully defines processes and procedures,\nroles and responsibilities, types of incidents, reporting criteria and timeframes,\nevidence collection and handling, event categories and incident severity, etc., as\nwell as post-mortem procedures, i.e., lessons learned.\n\nThe following excerpt was taken from the IRC handbook:\n\n       \xe2\x80\x9cThe CSIRT consists of both a permanent cadre and temporary task\n       organized teams. Whereas the permanent cadre is responsible for\n       ensuring the mission readiness of the CSIRT and controlling the\n       operational teams, it is the operational teams that actually perform the\n       hands-on response to security incidents. This organizational construct is\n       depicted in Chart 1 shown below.\n\n\n\n\n2009 FISMA Executive Summary Report                                   March 26, 2010\nReport No. 472\n                                      Page 29\n\x0c               Chart 1: CSIRT Organization\n\n\n\n\n               Source: Incident Response Capability Handbook\n\n       The CSIRT\xe2\x80\x99s permanent cadre consists of a manager, senior staff, and\n       supporting staff. Senior staff members of the permanent cadre are\n       selected because they have specific expertise needed in the CSIRT; that\n       is, they have management authority over SEC Federal resources and/or\n       contractor employees that are likely to become members of CSIRT\n       operational teams. Supporting staff are chosen based on their ability to\n       assist with activities in the CSIRT that continue regardless of whether any\n       incident response operations are underway. CSIRT members are\n       responsible for accomplishing much of the administrative, logistical, and\n       training needs of the CSIRT.\n\n       CSIRT operational teams are transient. They are chartered by the CSIRT\n       permanent cadre, charged with restoring a safe computing environment\n       when an incident occurs, and task organized to meet the challenges of\n       that individual mission. The CSIRT permanent cadre disbands each\n       operational team once it has accomplished its mission. II 24-04.07.01\n       documents command and control of the operational teams by the CSIRT\n       permanent cadre. This handbook documents procedures used for hands-\n       on response by the CSIRT operational teams.\xe2\x80\x9d\n\nThe handbook also defines which types of incidents are required to be reported\nto the US-CERT (based on OMB A-130 and FISMA) and which do not. The\ntypes of incidents that are not required to be reported are incidents that are self-\n2009 FISMA Executive Summary Report                                      March 26, 2010\nReport No. 472\n                                           Page 30\n\x0cinflicted, did not result in unauthorized access, or were not a result of an\nattacker\xe2\x80\x99s actions. All other incidents require reporting to US-CERT.\n\nExamples of the CSIRT procedures for incident handling from the IRC handbook\nare illustrated in Tables 9 and 10 below and in Figure 2, located in this report\xe2\x80\x99s\nAppendices.\n\n       Table 9: Laptop Theft Response Procedures\n       Detection and Analysis Stage             Team Member                           Status\n        1.   Interview the person the laptop is              CSIRT Manager or\n             assigned to using CSIRT-FRM-IH003 to            Op Team Lead\n             collect the required information. Within\n             one hour file a report with US CERT if\n             there is any possibility that PII has been\n             compromised, per OMB Memorandum\n             M-06-19, \xe2\x80\x9cReporting Incidents Involving\n             Personally Identifiable Information.\xe2\x80\x9d\n        2.   Alert CISO, OOD, and Chief Privacy              CSIRT Manager or\n             Officer that USCERT report has been             Op Team Lead\n             filed.\n        3.   Determine whether there exists                  CSIRT Manager or\n             substantial risk to any Government              Op Team Lead\n             network or mission as a result of the\n             theft.\n        4.   Determine whether any PII has been              CSIRT Manager or\n             compromised.                                    Op Team Lead\n        Containment, Eradication, and\n        Recovery Stage\n        5.   If it is determined that there is substantial   CSIRT Manager or\n             risk to any Government network as a             Op Team Lead\n             result of the theft take appropriate\n             precautions to mitigate the risk, such as\n             revoking the credentials of any user\n             whose credentials were available on, in,\n             or nearby the stolen laptop.\n        6.   If it is determined that any PII may have       CSIRT Manager or\n             been compromised, notify the Privacy            Op Team Lead\n             Officer.\n        Post-Incident Activity Stage\n        7.   Create a follow-up report.                      Op Team Lead\n        8.   Hold a lessons learned meeting.                 CSIRT Manager\n       Source: Incident Response Capability Handbook\n\n\n\n\n2009 FISMA Executive Summary Report                                             March 26, 2010\nReport No. 472\n                                           Page 31\n\x0c       Table 10: Unauthorized Access Response Procedure\n              Detection and Analysis Stage     Team Member                        Status\n\n        1. Prioritize handling the incident based on     CSIRT Manager\n           its business impact:\n           \xe2\x80\xa2 Identify which resources have been       Op Team Lead\n                affected and forecast which resources Op Team SSB Rep\n                will be affected.                     Op Team Network\n                                                      Rep\n           \xe2\x80\xa2 Estimate the current technical effect of Op Team Lead\n               the incident.                          Op Team SSB Rep\n                                                      Op Team Network\n                                                      Rep\n           \xe2\x80\xa2 Find the appropriate cell(s) in the      Op Team Lead\n               prioritization matrix, based on the    Op Team SSB Rep\n               technical effect and affected          Op Team Network\n               resources.                             Rep\n           \xe2\x80\xa2 If the incident is ongoing, determine    Op Team Lead\n               what additional logging may be         Op Team SSB Rep\n               required to capture evidence of        Op Team Network\n               wrongdoing. Affect the logging         Rep\n               changes.\n        2. Report the incident to the appropriate     Op Team Lead\n           internal personnel and external\n           organizations.\n        Containment, Eradication, and\n        Recovery Stage\n        3. Perform an initial containment of the         Op Team Lead\n           incident.                                     Op Team SSB Rep\n                                                         Op Team Network\n                                                         Rep\n        4. Acquire, preserve, secure, and document       Forensics Specialist\n           evidence.\n        5. Confirm the containment of the incident:      Op Team Lead\n           \xe2\x80\xa2 Further analyze the incident and            Op Team Lead\n               determine if containment was              Op Team SSB Rep\n               sufficient (including checking other      Op Team Network\n               systems for signs of intrusion).          Rep\n           \xe2\x80\xa2 Implement additional containment            Op Team Lead\n               measures if necessary.                    Op Team SSB Rep\n                                                         Op Team Network\n                                                         Rep\n        6. Eradicate the Vulnerability:\n           \xe2\x80\xa2 Identify and mitigate all vulnerabilities   Op Team SSB Rep\n              that were exploited.                       Op Team Network\n                                                         Rep\n\n\n2009 FISMA Executive Summary Report                                         March 26, 2010\nReport No. 472\n                                        Page 32\n\x0c        7. Recover from the incident:\n           \xe2\x80\xa2 Return affected systems to an                 Op Team SSB Rep\n              operationally ready state.                   Op Team Network\n                                                           Rep\n            \xe2\x80\xa2   Confirm that the affected systems are      Op Team SSB Rep\n                functioning normally.                      Op Team Network\n                                                           Rep\n            \xe2\x80\xa2   If necessary, implement additional         Op Team SSB Rep\n                monitoring to look for future related      Op Team Network\n                activity.                                  Rep\n        Post-Incident Activity Stage\n        8. Create a follow-up report.                      Op Team Lead\n        9. Hold a lessons learned meeting.                 CSIRT Manager\n       Source: IRC Handbook\n\nWe found that the Commission has robust incident prevention, detection,\nresponse, and reporting capabilities. This capability features a number of tools,\nsuch as:\n\n                                                        . The SEC has\n       implemented the                                                . The\n                                                    is an in-line device that is\n       inserted seamlessly and transparently into the network. As packets\n       pass through the Intrusion Protection System, they are fully\n       inspected to determine whether they are legitimate or malicious.\n       This instantaneous form of protection is the most effective means of\n       preventing attacks from ever reaching their targets.\n                                       provide Application Protection,\n       Performance Protection and Infrastructure Protection at gigabit\n       speeds through total packet inspection. Application Protection\n       capabilities provide fast, accurate, reliable protection from internal\n       and external cyber attacks. Through its Infrastructure Protection\n       capabilities, the                                             protects\n       VoIP infrastructure, routers, switches, DNS and other critical\n       infrastructure from targeted attacks and traffic anomalies.\n                                                 capabilities enable\n       customers to throttle non-mission critical applications that hijack\n       valuable bandwidth and IT resources, thereby aligning network\n       resources and business-critical application performance.\n\n                                                               delivers real-time\n       event management with                         As a key component of the\n                                                    delivers \xe2\x80\x9cforensics on the\n       fly,\xe2\x80\x9d the ability to drill down from an alert to the source events that\n       triggered the alert. The advanced real-time correlation capability of\n2009 FISMA Executive Summary Report                                          March 26, 2010\nReport No. 472\n                                         Page 33\n\x0c                         identifies the relevance of any given event by placing\n       it within context of who, what, where, when and why that event\n       occurred and its impact on business risk.                      correlates\n       incoming events with asset prioritization and vulnerability, user\n       activity, and threat history to deliver accurate and automated\n       prioritization of security risks and compliance violations. The\n       powerful correlation engine of                     processes many\n       millions of log entries down to the few critical events that matter.\n       These incidents are then presented through real-time dashboards,\n       notifications, or reports to the security administrator. Once risks are\n       identified,                   provides a built-in workflow engine that\n       guides risk containment activities including case management and\n       handing off the threat information to\n                   for threat isolation and remediation options. The\n       implementation at the SEC is currently being upgraded to the most\n       recent software version.\n\n                           The                      product offers a rich list\n       of features. The application effectively scans desktops in real-time,\n       and at preprogrammed scheduled times. The program also scans\n       for spyware and adware.            has an Antivirus Emergency\n       Response Team that continually monitors the worldwide virus\n       activities. The always-on protection guards against viruses,\n       spyware and other Internet threats that may enter Commission\n       systems via e-mail, instant message attachments, Internet\n       downloads, and web browsing.\n\n       Project Einstein II. The US-CERT Einstein Program is an initiative\n       that builds cyber-related situational awareness across the Federal\n       government. The program monitors government agencies\xe2\x80\x99\n       networks to facilitate the identification and response to cyber\n       threats and attacks, improve network security, increase the\n       resiliency of critical electronically delivered government services,\n       and enhance the survivability of the Internet. Einstein leverages\n       information technology so that the US-CERT can automate the\n       sharing of critical information across the entire Federal government.\n       Enhanced data sharing between Federal government agencies and\n       the US-CERT provides an advanced cyber view and analysis of the\n       Federal government\xe2\x80\x99s critical cyber networks.\n\n                                        is the premier computer forensic\n       application available. It gives investigators the ability to image a\n       drive and preserve it in a forensic manner using the\n       evidence file format                  a digital evidence container\n\n2009 FISMA Executive Summary Report                                       March 26, 2010\nReport No. 472\n                                       Page 34\n\x0c       validated and approved by courts worldwide.\n       also contains a full suite of analysis, bookmarking and reporting\n       features.                       and third-party vendors provide\n       support for expanded capabilities to ensure that forensic examiners\n       have the most comprehensive set of utilities.\n\n                                                 centralizes and streamlines\n       the complete case management lifecycle for cyber and physical\n       incidents and ethics violations.            web-based solution allows\n       the SEC to capture organizational events that may escalate into\n       incidents, evaluate incident criticality, and assign response team\n       members based on business impact and regulatory requirements.\n       You can also consolidate response procedures, manage\n       investigations end-to-end, and report on trends, losses, recovery\n       efforts and related incidents. Powered by the\n                    , the Incident Management software solution allows you\n       to effectively handle incidents that occur anywhere you do business\n       from detection through analysis and resolution. The SEC\xe2\x80\x99s\n       implementation is currently being upgraded to the latest software\n       version.\n\n                                                . The SEC uses\n                  test receivers and                    for wireless scanning.\n                                   is a wireless test receiver system that\n       demodulates, sweeps, analyzes, and optimizes all popular 802.11\n       Wi-Fi network standards including 802.11b/g (2.4 GHz), 802.11n,\n       and even 802.11a (5 GHz).               is an 802.11 layer2 wireless\n       network detector, sniffer, and intrusion detection system.\n       will work with any wireless card which supports raw monitoring\n       (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.\n              t identifies networks by passively collecting packets and\n       detecting standard named networks, detecting (and given time, de-\n       cloaking) hidden networks, and inferring the presence of non-\n       beaconing networks via data traffic.\n\nWe found local processes and procedure based on NIST SP 800-61, Computer\nSecurity Incident Handling Guide as well as the following publications:\n\n   \xe2\x80\xa2   NIST SP 800-72, Guidelines on PDA Forensics\n   \xe2\x80\xa2   NIST SP 800-83, Guide to Malware Incident Prevention and Handling\n   \xe2\x80\xa2   NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident\n       Response\n   \xe2\x80\xa2   NIST SP 800-101, Guidelines on Cell Phone Forensics\n\n\n2009 FISMA Executive Summary Report                                      March 26, 2010\nReport No. 472\n                                      Page 35\n\x0c     \xe2\x80\xa2   CMU/SEI-2003-HB-001, Organizational Models For Computer Security\n         Incident Response Teams (CSIRTs)\n     \xe2\x80\xa2   CMU/SEI-20030TR-001, State of the Practice of Computer Security\n         Incident Response Teams (CSIRTs)\n     \xe2\x80\xa2   CMU/SEI-20030HB-002, Handbook for Computer Security Incident\n         Response Teams (CSIRTs)\n     \xe2\x80\xa2   CMU/SEI-2004-TR-015, Defining Incident Management Processes for\n         CSIRTs\n     \xe2\x80\xa2   CMU/SEI-20050HB-001, First Responders Guide to Computer Forensics\n     \xe2\x80\xa2   SAND98-8667, A Common Language for Computer Security Incidents,\n         Howard and Longstaff, Sandia National Laboratories\n\nThe incident reporting procedures are widely used and fully integrated into the\nSEC\xe2\x80\x99s IT management processes. We assess that the incident response\nprocedures are complied with between 90 and 100 percent of the time.\n\nIn question 8(a), we found that the SEC has a robust collaborative relationship\nwith the US-CERT. The SEC complies with documented policies and procedures\nfor timely reporting of incidents to US- CERT between 90 and 100 percent of the\ntime.\n\nIn question 8(b), we found that the SEC does comply with the documented\npolicies and procedures for reporting to law enforcement at least 90 percent of\nthe time.\n\nBased on our review and analysis, we answered OMB question 8 as shown in\nTable 11.\n\nTable 11: OIG Response to Question 8\n                                                                  Recommended\n ID      Question from OMB Questionnaire\n                                                                  Response\n      How often does the agency comply (with) documented\n 8    policies and procedures for identifying and reporting        90% to 100%\n      incidents internally?\n      How often does the agency comply with documented\n 8(a) policies and procedures for timely reporting of incidents    90% to 100%\n      to US CERT?\n      How often does the agency comply documented policy\n 8(b)\n      and procedures for reporting to law enforcement?             90% to 100%\nSource: OMB FISMA Web Portal\n\n\n\n\n2009 FISMA Executive Summary Report                                   March 26, 2010\nReport No. 472\n                                      Page 36\n\x0cQuestion 9: Security Awareness Training\n\n    \xe2\x80\xa2    Has the agency ensured IT security awareness training of all users with\n         log in privileges, including contractors and those employees with\n         significant IT security responsibilities? Provide explanatory detail in the\n         space provided.\n\n    \xe2\x80\xa2    Has the Agency developed and documented an adequate policy for\n         identifying all general users, contractors, and system owners/employees\n         who have log in privileges, and providing them with suitable IT security\n         awareness training? Yes/No/NA.\n\n    \xe2\x80\xa2    Report the following for your agency:\n\n          o Total number of people with log in privileges to agency systems.\n\n          o Number of people with log in privileges to agency systems that\n            received information security awareness training during the past\n            fiscal year, as described in NIST Special Publication 800-50,\n            \xe2\x80\x9cBuilding an Information Technology Security Awareness and\n            Training Program\xe2\x80\x9d (October 2003).\n\n          o (The) total number of employees with significant information security\n            responsibilities.\n          o Number of employees with significant security responsibilities that\n            received specialized training, as described in NIST Special\n            Publication 800-16, \xe2\x80\x9cInformation Technology Security Training\n            Requirements: A Role-and Performance-Based Model,\xe2\x80\x9d (April 1998).\n\nResponse. OIT Security entered into a second OMB Security line-of-business\ninitiative in 2007 with the Department of State to purchase the Cyber Security\nAwareness Course known as JSAS. JSAS is an automated computer-based-\ntraining that provides standard cyber security training across the Federal\nGovernment, and allows for instant reporting and password resets. Users are\nrequired to read and review the content, as well as pass a test to complete the\ntraining. In addition to the standard cyber security training offered by the\nDepartment of State SEC paid for an additional module to support compliance\nwith the SEC Rules of the Road. In 2009, the Rules of the Road went through a\nmajor update through the SEC policy review process.\n\nThe SEC takes Cyber Security Awareness training very seriously. Individuals\nwho do not successfully complete the training by October 31, 2009 risk having\ntheir access credentials frozen until they successfully complete the training.\n\n2009 FISMA Executive Summary Report                                      March 26, 2010\nReport No. 472\n                                      Page 37\n\x0cThe screenshot below demonstrates the reporting and tracking capability of the\nJSAS tool showing that as of November 3, 2009 3,788 of 4,400 users (86\npercent) have successfully completed the Cyber Security Awareness Course. As\nof November 14, 2009, the final numbers reported to OMB are 4,101 of 4,383\nusers (94 percent completed the Security Awareness Training.\n\nThe SEC Cyber Security Awareness Training Certificate Summary is illustrated in\nFigure 3, located in this report\xe2\x80\x99s Appendices. Based on our review, we answered\nquestion 9 as shown in Table 12 below.\n\nTable 12: OIG Response to Question 9\n                                                                  Recommended\n ID      Question from OMB Questionnaire\n                                                                  Response\n       Has the agency ensured IT security awareness\n       training of all users with log in privileges, including\n 9     contractors and those employees with significant IT              Yes\n       security responsibilities? Provide explanatory detail in\n       the space provided.\n       Has the Agency developed and documented an\n       adequate policy for identifying all general users,\n 9(a) contractors, and system owners/employees who have                 Yes\n       log in privileges, and providing them with suitable IT\n       security awareness training?\n 9(b) Report the following for your agency:\n       Total number of people with log in privileges to\n 9(b)1                                                                 4383\n       agency systems\n       Number of people with log in privileges to agency\n       systems that received information security awareness\n       training during the past fiscal year, as described in\n 9(b)2                                                                 4104\n       NIST Special Publication 800-50, "Building an\n       Information Technology Security Awareness and\n       Training Program" (October 2003).\n       Total number of employees with significant\n 9(b)3                                                                  453\n       information security responsibilities.\nSource: OMB FISMA Web Portal\n\n\nQuestion 10: Peer-To-Peer File Sharing\nDoes the agency explain policies regarding the use peer-to-peer file sharing in IT\nsecurity awareness training, ethics training, or any other agency-wide training?\n\nResponse. The Commission has monitoring systems and policies (SECR 24-04\nInformation Technology Security Program and SECR 24-04.04.02 IT Security\nConfiguration Management) covering the use of collaborative web technologies\n2009 FISMA Executive Summary Report                                   March 26, 2010\nReport No. 472\n                                      Page 38\n\x0cand peer-to-peer file sharing in IT security awareness, ethics, or other agency-\nwide training courses. For example, the SEC Rules of the Road (SECR 24-04-\nA01) user behavior policy prohibits the access or use of peer-to-peer\nsoftware/systems within the SEC network. Additionally, the prohibited use of\npeer-to-peer software is addressed as a module in the Commission\xe2\x80\x99s annual\ncyber security training course.\n\n\n\n\n2009 FISMA Executive Summary Report                                   March 26, 2010\nReport No. 472\n                                      Page 39\n\x0c                                                                        Appendix I\n\n\n                                      Acronyms\n   APS                            Automated Procurement System\n   C&A                            Certification and Accreditation\n   CIO                            Chief Information Officer\n   CISO                           Chief Information Security Officer\n   CM/QA                          Configuration Management/Quality Assurance\n   CPO                            Chief Privacy Officer\n   CSAM                           Cyber Security Assessment and Management\n   CSIRT                          Computer Security Incident Response Team\n   DHS                            Department of Homeland Security\n   FDCC                           Federal Desktop Core Configuration\n   FIPS                           Federal Information Processing Standards\n   FISMA                          Federal Information Systems Management Act\n   GAO                            Government Accountability Office\n   GPO                            Group Policy Objective\n   GSS                            General Support System\n   HIDS                           Host-Based Intrusion Detection Systems\n   IDS                            Intrusion Detection System\n   IRC                            Incident Response Capability\n   JSAS                           Cyber-Security Awareness Course\n   NIST                           National Institute of Standards and Technology\n   O-CCB                          Operational Change Control Board\n   OED                            Office of the Executive Director\n   OIG                            Office of the Inspector General\n   OIT                            Office of Information Technology\n   OMB                            Office of Management and Budget\n\n\n2009 FISMA Executive Summary Report                                     March 26, 2010\nReport No. 472\n                                        Page 40\n\x0c                                                                       Appendix I\n\n\n   PIA                            Privacy Impact Assessment\n   PII                            Personally Identifying Information\n   PIRT                           Privacy Incident Response Team\n   POA&M                          Plan of Action and Milestone\n   QM                             Quality Management\n   SAOP                           Senior Agency Official for Privacy\n   SEC                            The U.S. Securities and Exchange Commission\n   SSN                            Social Security Number\n   ST&E                           Security Test and Evaluation\n   US-CERT                        United States Computer Emergency Readiness\n                                  Team\n\n\n\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                        Page 41\n\x0c                                                                       Appendix II\n\n\n                        Scope and Methodology\n\nThis review was not conducted in accordance with government auditing\nstandards.\n\nScope. The scope of this effort included all systems owned or operated by the\nCommission or its contractors on behalf of the Commission.\n\nMethodology. To meet the evaluation objective to assess the FISMA and report\non how the Commission implemented its mandated information security\nrequirements, C5i completed the OIG portion of the 2009 FISMA reporting\ntemplate and based its responses on interviews with key personnel, independent\nobservations, and the examination of supporting documentation.\n\nInterviews with key personnel included systems owners, business-line managers,\nOIT representatives, and OIG personnel. Personnel were interviewed regarding\nthe issues germane to completing the OIG portion of the 2009 FISMA reporting\ntemplate. Areas discussed included:\n\n   \xe2\x80\xa2   Processes and procedures for maintaining and inventory of information\n       systems and tangible equipment (including portable devices).\n   \xe2\x80\xa2   Certification and accreditation processes and procedures.\n   \xe2\x80\xa2   Implementation and testing of security controls.\n   \xe2\x80\xa2   Contingency planning and testing.\n   \xe2\x80\xa2   Commission oversight of contractor systems.\n   \xe2\x80\xa2   POA&M processes and procedures.\n   \xe2\x80\xa2   Privacy program and privacy impact assessments.\n   \xe2\x80\xa2   Configuration management.\n   \xe2\x80\xa2   Incident reporting.\n   \xe2\x80\xa2   Security awareness training.\n   \xe2\x80\xa2   Collaborative web technologies and peer to peer file sharing.\n   \xe2\x80\xa2   E-authentication risk assessments.\n\nC5i also reviewed an extensive collection of system artifacts, policies, and other\ndocumentation relating to the systems and issues that were identified.\n\nManagement Controls. We reviewed the existing controls that were considered\nsignificant for FISMA and within the context of the evaluation objectives.\n\n\n\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                      Page 42\n\x0c                                                                    Appendix III\n\nPrior Audit Coverage. We conducted an assessment of the Commission\xe2\x80\x99s\nFISMA program in 2008. The review looked at the FISMA major security areas\nas well as performed an assessment of two of the Agencies information systems;\nthe Complaints/Tips/Referrals, and the Office of Compliance Inspections and\nExaminations Adviser Surveillance Intelligence System applications. The report\ncontained three recommendations and revealed that while there were no\nsignificant issues with the systems, there were some problems with the overall\nsecurity program. Not all the report recommendations have been closed.\nSpecifically we recommended that:\n\n   \xe2\x80\xa2   OIT complete the security controls and contingency plan testing for\n       the remaining systems.\n   \xe2\x80\xa2   OIT address the requirements for FDCC to include:\n          o Adopting and implementing the FDCC standard\n              configurations and documenting any deviations.\n          o Modifying all contracts related to common security settings\n              to include the New Federal Acquisition Regulation 2007-004\n              language.\n          o Implementing the FDCC security settings for all Windows XP\n              and VISTA computing systems.\n\n\n\n\n2009 FISMA Executive Summary Report                                  March 26, 2010\nReport No. 472\n                                      Page 43\n\x0c                                                                        Appendix III\n\n\n                                      Criteria\n\nOMB Memorandum M-09-29, Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management. This\nmemorandum provides instructions for meeting agency FY 2009 reporting\nrequirements under the Federal Information Security Management Act of 2002\n(FISMA) (Title III, Pub. L. No. 107-347). It also includes reporting instructions for\nagency privacy management programs.\n\nOMB Memorandum M-07-16, Safeguarding Against and Responding to the\nBreach of Personally Identifiable Information, May 22, 2007. This memorandum\nrequires agencies to develop and implement a breach5 notification policy. This is\na responsibility shared by officials accountable for administering operational and\nprivacy and security programs, legal counsel, Agencies\xe2\x80\x99 Inspectors General and\nother law enforcement, and public and legislative affairs. It is also a function of\napplicable laws, such as the Federal Information Security Management Act of\n2002 (FISMA) and the Privacy Act of 1974.\n\nOMB Memorandum M-06-19, Reporting Incidents Involving Personally\nIdentifiable Information and Incorporating the Cost for Security in Agency\nInformation Technology Investments, July 12, 2006. This memorandum provides\nupdated guidance on the reporting of security incidents involving personally\nidentifiable information and to remind you of existing requirements, and explain\nnew requirements your agency will need to provide addressing security and\nprivacy in your fiscal year 2009 budget submissions for information technology.\n\nOMB Memorandum M-06-16, Protection of Sensitive Agency Information (June\n23, 2006). This memorandum recommends a number of actions necessary to\nprotect sensitive information.\n\nOMB Memorandum M-06-15, Safeguarding Personally Identifiable Information\n(May 22, 2006). This memorandum reemphasizes agency responsibilities under\nlaw and policy to appropriately safeguard sensitive personally identifiable\ninformation and to train employees on their responsibilities.\n\nOMB Memorandum M-03-22, Guidance for Implementing Privacy Provisions of\nthe E-Government Act of 2002, September 30, 2003. This memorandum\nprovides information to agencies on implementing the privacy provisions of the E-\nGovernment Act of 2002, which was signed by the President on December 17,\n2002 and became effective on April 17, 2003.\n\nNIST SP 800-72, Guidelines on PDA Forensics. This guide provides an in-depth\nlook into PDAs and explaining the technologies involved and their relationship to\n\n2009 FISMA Executive Summary Report                                      March 26, 2010\nReport No. 472\n                                       Page 44\n\x0c                                                                      Appendix III\n\nforensic procedures. It covers three families of devices \xe2\x80\x93 Pocket PC, Palm OS,\nand Linux-based PDAs \xe2\x80\x93 and the characteristics of their associated operating\nsystem.\n\nNIST SP 800-83, Guide to Malware Incident Prevention and Handling. This\npublication provides recommendations for improving an organizations malware\nincident prevention measures. It also gives extensive recommendations for\nenhancing an organizations existing incident response capability so that it is\nbetter prepared to handle malware incidents, particularly widespread ones. The\nrecommendations address several major forms of malware, including viruses,\nworms, Trojan horses, malicious mobile code, blended attacks, spyware tracking\ncookies, and attacker tools such as backdoors and rootkits. The\nrecommendations encompass various transmission mechanisms, including\nnetwork services (e.g., e-mail, Web browsing, file sharing) and removable media.\n\nNIST SP 800-86, Guide to Integrating Forensic Techniques into Incident\nResponse. This guide provides detailed information on establishing a forensic\ncapability, including the development of policies and procedures. Its focus is\nprimarily on using forensic techniques to assist with computer security incident\nresponse, but much of the material is also applicable to other situations.\n\nNIST SP 800-101, Guidelines on Cell Phone Forensics. The objective of the\nguide is twofold: (1) To help organizations evolve appropriate policies and\nprocedures for dealing with cell phones; and (2) To prepare forensic specialists\nto contend with new circumstances involving cell phones when they arise.\n\nCMU/SEI-2003-HB-001, Organizational Models For Computer Security Incident\nResponse Teams (CSIRTs). This handbook describes different organizational\nmodels for implementing incident handling capabilities, including each model\xe2\x80\x99s\nadvantages and disadvantages and the kinds of incident management services\nthat best fit with it. An earlier SEI publication, the Handbook for Computer\nSecurity Incident Response Teams (CSIRTs) (CMU/SEI-2003-HB-002), provided\nthe baselines for establishing incident response capabilities.\n\nCMU/SEI-20030TR-001, State of the Practice of Computer Security Incident\nResponse Teams (CSIRTs). This report provides an objective study of the state\nof the practice of incident response, based on information about how CSIRTs\naround the world are operating. It covers CSIRT services, projects, processes,\nstructures, and literature, as well as training, legal, and operational issues.\n\nCMU/SEI-2003-HB-002, Handbook for Computer Security Incident Response\nTeams (CSIRTs). This report proposes an intrusion-aware design model called\ntrustworthy refinement through intrusion-aware design (TRIAD). TRIAD helps\ninformation system decision makers formulate and maintain a coherent,\n\n2009 FISMA Executive Summary Report                                    March 26, 2010\nReport No. 472\n                                      Page 45\n\x0c                                                                       Appendix III\n\njustifiable, and affordable survivability strategy that addresses mission-\ncompromising threats for their organization.\n\nCMU/SEI-2004-TR-015, Defining Incident Management Processes for CSIRTs.\nThis report presents a prototype best practice model for performing incident\nmanagement processes and functions. It defines the model through five high-\nlevel incident management processes: Prepare/Sustain/Improve, Protect\nInfrastructure, Detect Events, Triage Events, and Respond. Workflow diagrams\nand descriptions are provided for each of these processes.\n\nCMU/SEI-2005-HB-001, First Responders Guide to Computer Forensics. This\nhandbook is for technical staff members charged with administering and securing\ninformation systems and networks. It targets a critical training gap in the fields of\ninformation security, computer forensics, and incident response: performing basic\nforensic data collection.\n\nSAND98-8667, A Common Language for Computer Security Incidents. This\npaper presents the results of a project to develop a common language for\ncomputer security incidents. This project results from cooperation between the\nSecurity and Networking Research Group at the Sandia National Laboratories,\nLivermore, CA, and the CERT\xc2\xae Coordination Center at Carnegie Mellon\nUniversity, Pittsburgh, PA.\n\n\n\n\n2009 FISMA Executive Summary Report                                     March 26, 2010\nReport No. 472\n                                      Page 46\n\x0c                                                Appendix IV\n\n\n                             CSAM Screenshots\n\nFigure 1: CSAM Screenshots\n\n\n\n\nSource: CSAM Home Page\n\n\n\n\n2009 FISMA Executive Summary Report              March 26, 2010\nReport No. 472\n                                      Page 47\n\x0c                                                Appendix V\n\n\n                     Inventory of GAO POA&Ms\n\nFigure 2: Inventory of GAO POA&Ms\n\n\n\n\nSource: CSAM Home Page\n\n\n\n\n2009 FISMA Executive Summary Report             March 26, 2010\nReport No. 472\n                                      Page 48\n\x0c                                                Appendix VI\n\n\n                            POA&M Entry Page\n\nFigure 3: POA&M Entry Page\n\n\n\n\nSource: CSAM Home Page\n\n\n\n\n2009 FISMA Executive Summary Report              March 26, 2010\nReport No. 472\n                                      Page 49\n\x0c                                                Appendix VII\n\n\n                                  POA&M Page\n\nFigure 4: POA&M Page\n\n\n\n\nSource: CSAM Home Page\n\n\n\n\n2009 FISMA Executive Summary Report              March 26, 2010\nReport No. 472\n                                      Page 50\n\x0c                                                Appendix VIII\n\n\n                            SEC Custom Query\n\nFigure 5: SEC Custom Query\n\n\n\n\nSource: CSAM Home Page\n\n\n\n\n2009 FISMA Executive Summary Report               March 26, 2010\nReport No. 472\n                                      Page 51\n\x0c                                                 Appendix IX\n\n\n                            System Inventories\n\nFigure 6: System Inventories\n\n\n\n\nSource: CSAM Home Page\n\n\n\n\n2009 FISMA Executive Summary Report               March 26, 2010\nReport No. 472\n                                      Page 52\n\x0c                                                   Appendix X\n\n\n                  Incident Escalation Flow Chart\n    Figure 7: Incident Escalation Flow Chart\n\n\n\n\n    Source: OIT Security Group\n\n\n\n\n2009 FISMA Executive Summary Report                March 26, 2010\nReport No. 472\n                                      Page 53\n\x0c                                                  Appendix XI\n\n\n                    Cyber Security Awareness Training\n\nFigure 8: Cyber Security Awareness Training\n\n\n\n\nSource: Department of Justice\n\n\n\n\n2009 FISMA Executive Summary Report                March 26, 2010\nReport No. 472\n                                      Page 54\n\x0c                                                                                            Appendix XII\n\n\n                             Management Comments\n\n\n\n\n                                              Memorandum\n\n        Date:       March 9, 2010\n\n       To:          David Kotz, Inspector General, OIG\n                    Jacqueline Wilson, Assistant Inspector General, OIG\n\n        From:       Charles Boucher, Chief Information Officer, OIT   ~C(}"";(1f4.\n       Subject:     Management Response to OIG Report 472,2009 FISMA Executive Summary\n                    Report\n\n\n         The Office of Information Technology appreciates the opportunity to comment on the subject\n       report. We are pleased that the OIG found no need for recommendations on "how the\n       Commission has implemented its mandated information security requirements."\n\n\n\n\n2009 FISMA Executive Summary Report                                                            March 26, 2010\nReport No. 472\n                                                Page 55\n\x0c                     Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'